diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 7cc99f80b3..df4ae61d44 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -12724,6 +12724,16 @@
       "source_path": "windows/update/waas-wufb-group-policy.md",
       "redirect_url": "/windows/deployment/update/waas-wufb-group-policy",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/upgrade/windows-10-edition-upgrades.md",
+      "redirect_url": "/windows/deployment/upgrade/windows-edition-upgrades",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/windows-10-media.md",
+      "redirect_url": "/licensing/",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/.openpublishing.redirection.windows-application-management.json b/.openpublishing.redirection.windows-application-management.json
index 963abce1b0..4b1866c772 100644
--- a/.openpublishing.redirection.windows-application-management.json
+++ b/.openpublishing.redirection.windows-application-management.json
@@ -7,17 +7,22 @@
     },
     {
       "source_path": "windows/application-management/msix-app-packaging-tool.md",
-      "redirect_url": "/windows/application-management/apps-in-windows-10",
+      "redirect_url": "/windows/application-management/overview-windows-apps",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/application-management/provisioned-apps-windows-client-os.md",
-      "redirect_url": "/windows/application-management/apps-in-windows-10",
+      "redirect_url": "/windows/application-management/overview-windows-apps#windows-apps",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/application-management/system-apps-windows-client-os.md",
-      "redirect_url": "/windows/application-management/apps-in-windows-10",
+      "redirect_url": "/windows/application-management/overview-windows-apps#windows-apps",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/application-management/apps-in-windows-10.md",
+      "redirect_url": "/windows/application-management/overview-windows-apps",
       "redirect_document_id": false
     }
   ]
diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json
index 49fd3e464e..06fc754819 100644
--- a/.openpublishing.redirection.windows-deployment.json
+++ b/.openpublishing.redirection.windows-deployment.json
@@ -750,6 +750,11 @@
       "redirect_url": "/windows/deployment/windows-10-subscription-activation",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/deployment/do/mcc-enterprise-portal-deploy.md",
+      "redirect_url": "/windows/deployment/do/mcc-enterprise-deploy",
+      "redirect_document_id": false
+    },    
     {
       "source_path": "windows/deployment/windows-autopatch/deploy/index.md",
       "redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts",
diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index facb849e8b..8cbc4ef4cd 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -7334,6 +7334,86 @@
       "source_path": "windows/security/zero-trust-windows-device-health.md",
       "redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-considerations.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-known-issues.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-manage.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-requirements.md",
+      "redirect_url": "/windows/security/identity-protection/credential-guard/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index ef83e85701..c62ca17200 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -48,7 +48,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "externalReference": [],
diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
index 23a57d2206..211570e4b0 100644
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@@ -1,24 +1,3 @@
-items:
-- name: Docs
-  tocHref: /
-  topicHref: /
-  items:
-    - name: Microsoft Education
-      tocHref: /education/
-      topicHref: /education/index
-      items:
-      - name: Get started
-        tocHref: /education/get-started
-        topicHref: /education/get-started/index
-      - name: Windows
-        tocHref: /education/windows
-        topicHref: /education/windows/index
-      - name: Windows
-        tocHref: /windows/configuration/
-        topicHref: /education/windows/index
-      - name: Windows
-        tocHref: /windows/deployment/
-        topicHref: /education/windows/index
-      - name: Windows
-        tocHref: /windows/Security/Application Control for Windows/
-        topicHref: /education/windows/index
+- name: Windows
+  tocHref: /windows/
+  topicHref: /windows/index
diff --git a/education/docfx.json b/education/docfx.json
index a9579639a6..8b2f9b3edf 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -66,7 +66,7 @@
         "garycentric",
         "v-stsavell",
         "beccarobins",
-        "v-stchambers"
+        "Stacyrch140"
       ]
     },
     "fileMetadata": {
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 0bfa6d278a..bae8eba426 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,54 +2,20 @@
 

 
 
-## Week of July 31, 2023
+## Week of September 11, 2023
 
 
 | Published On |Topic title | Change |
 |------|------------|--------|
-| 8/3/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
+| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
 
 
-## Week of July 24, 2023
+## Week of September 04, 2023
 
 
 | Published On |Topic title | Change |
 |------|------------|--------|
-| 7/24/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
-| 7/25/2023 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
-| 7/25/2023 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
-
-
-## Week of July 10, 2023
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 7/14/2023 | [Microsoft 365 Education Documentation](/education/index) | modified |
-| 7/14/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
-| 7/14/2023 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 7/14/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified |
-| 7/14/2023 | [Windows for Education documentation](/education/windows/index) | modified |
-| 7/14/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
-| 7/14/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
-| 7/14/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
-| 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
-| 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
-| 7/14/2023 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
-| 7/14/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-| 7/14/2023 | [Windows for Education documentation](/education/windows/index) | added |
-| 7/14/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
-| 7/14/2023 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
-| 7/14/2023 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
-| 7/14/2023 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
-| 7/14/2023 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
-| 7/14/2023 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
-| 7/14/2023 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
-| 7/14/2023 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
-| 7/14/2023 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
-| 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
-| 7/14/2023 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
-| 7/14/2023 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
-| 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
-| 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
+| 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
+| 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified |
+| 9/5/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
diff --git a/education/index.yml b/education/index.yml
index 29efffa3ae..a41a668122 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -40,7 +40,7 @@ productDirectory:
       imageSrc: ./images/EDU-Lockbox.svg
       links:
         - url: /azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
-          text: Azure Active Directory feature deployment guide
+          text: Microsoft Entra feature deployment guide
         - url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-information-protection-deployment-acceleration-guide/ba-p/334423
           text: Azure information protection deployment acceleration guide
         - url: /defender-cloud-apps/get-started
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index adc2f3d815..0c9591c71b 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -13,7 +13,7 @@ ms.collection:
 
 # Reset devices with Autopilot Reset 
 
-IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
+IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
 
 To enable Autopilot Reset you must:
 
@@ -89,7 +89,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. 
 
-   - Is returned to a known good managed state, connected to Azure AD and MDM.
+   - Is returned to a known good managed state, connected to Microsoft Entra ID and MDM.
 
      ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png)
 
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index 92e4894f78..caa984b456 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -1,7 +1,7 @@
 ---
 title: Upgrade Windows Home to Windows Education on student-owned devices
 description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions.
-ms.date: 08/10/2022
+ms.date: 08/07/2023
 ms.topic: how-to
 author: scottbreenmsft
 ms.author: scbree
@@ -211,13 +211,13 @@ A firmware embedded key is only required to upgrade using Subscription Activatio
 
 ### What is a multiple activation key and how does it differ from using KMS, Active Directory based activation or Subscription Activation?
 
-A multiple activation key activates either individual computers or a group of computers by connecting directly to servers over the internet or by telephone. KMS, Active Directory based activation and subscription activation are bulk activation methods that work based on network proximity or joining to Active Directory or Azure Active Directory. The table below shows which methods can be used for each scenario.
+A multiple activation key activates either individual computers or a group of computers by connecting directly to servers over the internet or by telephone. KMS, Active Directory based activation and subscription activation are bulk activation methods that work based on network proximity or joining to Active Directory or Microsoft Entra ID. The table below shows which methods can be used for each scenario.
 
 | Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation |
 |-|-|:-:|:-:|:-:|:-:|
 | **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | |
-| **Azure AD Join** | Organization | X | X | | X |
-| **Hybrid Azure AD Join** | Organization | X | X | X | X |
+| **Microsoft Entra join** | Organization | X | X | | X |
+| **Microsoft Entra hybrid join** | Organization | X | X | X | X |
 
 ## Related links
 
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 8871798ac4..1453e64ad3 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -125,10 +125,10 @@ Table 3. Settings in the Security node in the Google Admin Console
 
 |Section|Settings|
 |--- |--- |
-|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.<br> Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
+|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.<br> Record these settings and use them to help configure your on-premises Active Directory or Microsoft Entra ID to mirror the current behavior of your Chromebook environment.|
 |Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.|
 |API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.|
-|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
+|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Microsoft Entra synchronization to replace Google-based SSO.|
 |Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
 
 **Identify locally configured settings to migrate**
@@ -306,7 +306,7 @@ Consider the following when you create your cloud services migration strategy:
 
 You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks.
 
-In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
+In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Microsoft Entra services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
 
 ### <a href="" id="select-windows-device-deploy"></a>
 
@@ -332,17 +332,17 @@ Record the combination of Windows device deployment strategies that you selected
 
 ### <a href="" id="plan-adservices"></a>
 
-**Plan for AD DS and Azure AD services**
+**Plan for AD DS and Microsoft Entra services**
 
-The next decision you'll need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services.
+The next decision you'll need to make concerns AD DS and Microsoft Entra services. You can run AD DS on-premises, in the cloud by using Microsoft Entra ID, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services.
 
-In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD.
+In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Microsoft Entra ID (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Microsoft Entra ID.
 
-Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD.
+Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Microsoft Entra ID, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Microsoft Entra ID, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Microsoft Entra ID.
 
-Table 5. Select on-premises AD DS, Azure AD, or hybrid
+Table 5. Select on-premises AD DS, Microsoft Entra ID, or hybrid
 
-|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
+|If you plan to...|On-premises AD DS|Microsoft Entra ID|Hybrid|
 |--- |--- |--- |--- |
 |Use Office 365||✔️|✔️|
 |Use Intune for management||✔️|✔️|
@@ -383,7 +383,7 @@ Record the device, user, and app management products and technologies that you s
 
 **Plan network infrastructure remediation**
 
-In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
+In addition to AD DS, Microsoft Entra ID, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
 
 Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary:
 
@@ -439,20 +439,22 @@ It's important that you perform any network infrastructure remediation first bec
 
 If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
 
-## Perform AD DS and Azure AD services deployment or remediation
+<a name='perform-ad-ds-and-azure-ad-services-deployment-or-remediation'></a>
+
+## Perform AD DS and Microsoft Entra services deployment or remediation
 
 
-It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
+It's important that you perform AD DS and Microsoft Entra services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Microsoft Entra ID) in place and up to necessary expectations.
 
-In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Azure AD, or both:
+In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Microsoft Entra deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Microsoft Entra ID, or both:
 
 - [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server)
 - [AD DS overview](/windows-server/identity/ad-ds/active-directory-domain-services)
-- [Azure AD documentation](/azure/active-directory/)
-- [Azure AD Premium](https://azure.microsoft.com/pricing/details/active-directory/)
+- [Microsoft Entra documentation](/azure/active-directory/)
+- [Microsoft Entra ID P1 or P2](https://azure.microsoft.com/pricing/details/active-directory/)
 - [Safely virtualizing Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
 
-If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+If you decided not to migrate to AD DS or Microsoft Entra ID as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
 ## Prepare device, user, and app management systems
 
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 087db4abca..8f3304ae76 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,60 +1,62 @@
 ---
-title: Configure federation between Google Workspace and Azure AD
-description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 04/04/2023
+title: Configure federation between Google Workspace and Microsoft Entra ID
+description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
+ms.date: 09/11/2023
 ms.topic: how-to
 appliesto:
 ---
 
-# Configure federation between Google Workspace and Azure AD
+# Configure federation between Google Workspace and Microsoft Entra ID
 
 This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\
-Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials.
+Once configured, users will be able to sign in to Microsoft Entra ID with their Google Workspace credentials.
 
 ## Prerequisites
 
-To configure Google Workspace as an IdP for Azure AD, the following prerequisites must be met:
+To configure Google Workspace as an IdP for Microsoft Entra ID, the following prerequisites must be met:
 
-1. An Azure AD tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
-    - If the federated domain hasn't yet been added to Azure AD, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
-    - Learn how to [Add your custom domain name using the Azure Active Directory portal](/azure/active-directory/fundamentals/add-custom-domain)
-1. Access to Azure AD with an account with the *Global Administrator* role
+1. A Microsoft Entra tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format \**.onmicrosoft.com*)
+    - If the federated domain hasn't yet been added to Microsoft Entra ID, you must have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace
+    - Learn how to [Add your custom domain name using the Microsoft Entra admin center](/azure/active-directory/fundamentals/add-custom-domain)
+1. Access to Microsoft Entra ID with an account with the *Global Administrator* role
 1. Access to Google Workspace with an account with *super admin* privileges
 
 To test federation, the following prerequisites must be met:
 
 1. A Google Workspace environment, with users already created
     > [!IMPORTANT]
-    > Users require an email address defined in Google Workspace, which is used to match the users in Azure AD.
-    > For more information about identity matching, see [Identity matching in Azure AD](federated-sign-in.md#identity-matching-in-azure-ad).
-1. Individual Azure AD accounts already created: each Google Workspace user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
+    > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID.
+    > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-azure-ad).
+1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
     - School Data Sync (SDS)
-    - Azure AD Connect sync for environment with on-premises AD DS
+    - Microsoft Entra Connect Sync for environment with on-premises AD DS
     - PowerShell scripts that call the Microsoft Graph API
     - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072)
 
-## Configure Google Workspace as an IdP for Azure AD
+<a name='configure-google-workspace-as-an-idp-for-azure-ad'></a>
+
+## Configure Google Workspace as an IdP for Microsoft Entra ID
 
 1. Sign in to the [Google Workspace Admin Console](https://admin.google.com) with an account with *super admin* privileges
 1. Select **Apps > Web and mobile apps**
 1. Select **Add app > Search for apps** and search for *microsoft*
 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
    :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
-1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
-1. On the **Service provider detail*s** page
+1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Microsoft Entra ID later
+1. On the **Service provider detail's** page
       - Select the option **Signed response**
       - Verify that the Name ID format is set to **PERSISTENT**
-      - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
+      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you may need to adjust the **Name ID** mapping.\
         If using Google auto-provisioning, select **Basic Information > Primary email**
       - Select **Continue**
-1. On the **Attribute mapping** page, map the Google attributes to the Azure AD attributes
+1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
 
-    |Google Directory attributes|Azure AD attributes|
+    |Google Directory attributes|Microsoft Entra attributes|
     |-|-|
     |Basic Information: Primary Email|App attributes: IDPEmail|
 
     > [!IMPORTANT]
-    > You must ensure that your the Azure AD user accounts email match those in your Google Workspace.
+    > You must ensure that your the Microsoft Entra user accounts email match those in your Google Workspace.
 
 1. Select **Finish**
 
@@ -66,10 +68,12 @@ Now that the app is configured, you must enable it for the users in Google Works
 1. Select **User access**
 1. Select **ON for everyone > Save**
 
-## Configure Azure AD as a Service Provider (SP) for Google Workspace
+<a name='configure-azure-ad-as-a-service-provider-sp-for-google-workspace'></a>
 
-The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
-Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
+## Configure Microsoft Entra ID as a Service Provider (SP) for Google Workspace
+
+The configuration of Microsoft Entra ID consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
+Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with the *Global Administrator* role.
 
 ```powershell
 Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
@@ -125,12 +129,14 @@ SigningCertificate                    : <BASE64 encoded certificate>
 AdditionalProperties                  : {}
 ```
 
-## Verify federated authentication between Google Workspace and Azure AD
+<a name='verify-federated-authentication-between-google-workspace-and-azure-ad'></a>
+
+## Verify federated authentication between Google Workspace and Microsoft Entra ID
 
 From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:
 
 1. As username, use the email as defined in Google Workspace
 1. The user will be redirected to Google Workspace to sign in
-1. After Google Workspace authentication, the user will be redirected back to Azure AD and signed in
+1. After Google Workspace authentication, the user will be redirected back to Microsoft Entra ID and signed in
 
-:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
\ No newline at end of file
+:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index e7c2c92cd2..d9b96510a0 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -29,7 +29,7 @@ It's easy to be education ready when using Microsoft products. We recommend the
 
 1. Use an Office 365 Education tenant. 
 
-    With Office 365, you also have Azure Active Directory (Azure AD). To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+    With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
 
 2. Activate Intune for Education in your tenant.
 
@@ -39,11 +39,11 @@ It's easy to be education ready when using Microsoft products. We recommend the
    1. Provision the PC using one of these methods:
       * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
       * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
-   2. Join the PC to Azure Active Directory.
-      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
-      * Manually Azure AD join the PC during the Windows device setup experience.
+   2. Join the PC to Microsoft Entra ID.
+      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
+      * Manually Microsoft Entra join the PC during the Windows device setup experience.
    3. Enroll the PCs in MDM.
-      * If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
+      * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
    4. Ensure that needed assistive technology apps can be used.
       * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 
@@ -136,13 +136,15 @@ Provide an ad-free experience that is a safer, more private search option for K
 
 ### Configurations
 
-#### Azure AD and Office 365 Education tenant
+<a name='azure-ad-and-office-365-education-tenant'></a>
+
+#### Microsoft Entra ID and Office 365 Education tenant
 To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
 
 1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
-2. Domain join the Windows 10 PCs to your Azure AD tenant (this tenant is the same as your Office 365 tenant).
+2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
+4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
 > [!NOTE]
 > If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
 
@@ -154,4 +156,4 @@ To suppress ads only when the student signs into Bing with their Office 365 acco
 
 
 ## Related topics
-[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
\ No newline at end of file
+[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index f7ec888e80..43162f541c 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows 10 in a school district 
-description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
+description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID, use Microsoft Configuration Manager, Intune, and Group Policy to manage devices.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
@@ -9,7 +9,7 @@ appliesto:
 
 # Deploy Windows 10 in a school district
 
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID; and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for district deployment
 
@@ -68,9 +68,9 @@ This district configuration has the following characteristics:
   > [!NOTE]
   > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
   
-* The devices use Azure AD in Office 365 Education for identity management.
+* The devices use Microsoft Entra ID in Office 365 Education for identity management.
 
-* If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+* If you've on-premises AD DS, you can [integrate Microsoft Entra ID with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 
 * Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
 
@@ -155,7 +155,7 @@ The high-level process for deploying and configuring devices within individual c
 
 2. On the admin device, create and configure the Office 365 Education subscription that you'll use for the district’s classrooms.
 
-3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration).
+3. On the admin device, configure integration between on-premises AD DS and Microsoft Entra ID (if you've an on premises AD DS configuration).
 
 4. On the admin device, create and configure a Microsoft Store for Business portal.
 
@@ -167,7 +167,7 @@ The high-level process for deploying and configuring devices within individual c
 
 8. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
 
-9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
+9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Microsoft Entra integration.
 
 > [!div class="mx-imgBorder"]
 > ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works")
@@ -190,7 +190,7 @@ Before you select the deployment and management methods, you need to review the
 
 |Scenario feature |Cloud-centric|On-premises and cloud|
 |---|---|---|
-|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS)  |  AD DS integrated with Azure AD |
+|Identity management | Microsoft Entra ID (stand-alone or integrated with on-premises AD DS)  |  AD DS integrated with Microsoft Entra ID |
 |Windows 10 deployment   | MDT only  |  Microsoft Configuration Manager with MDT |
 |Configuration setting management  | Intune  |  Group Policy<br/><br/>Intune|
 |App and update management |  Intune |Microsoft Configuration Manager<br/><br/>Intune|
@@ -239,7 +239,7 @@ For a district, there are many ways to manage the configuration setting for user
 |Method|Description|
 |--- |--- |
 |Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. <br> Select this method when you <li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).<li> Want more granular control of device and user settings. <li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Can manage a required setting only by using Group Policy. <br>The advantages of this method include: <li>No cost beyond the AD DS infrastructure. <li>A larger number of settings (compared to Intune).<br>The disadvantages of this method are that it:<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).<li> Has rudimentary app management capabilities.<li> can't  deploy Windows 10 operating systems.|
-|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br>Select this method when you:<li> Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Don’t need granular control over device and user settings (compared to Group Policy).<li>Don’t have an existing AD DS infrastructure.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<li>Can manage a required setting only by using Intune.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require any on-premises infrastructure.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>Doesn’t offer granular control over device and user settings (compared to Group Policy).<li>can't  deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Microsoft Entra ID.<br>Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br>Select this method when you:<li> Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Don’t need granular control over device and user settings (compared to Group Policy).<li>Don’t have an existing AD DS infrastructure.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<li>Can manage a required setting only by using Intune.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require any on-premises infrastructure.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>Doesn’t offer granular control over device and user settings (compared to Group Policy).<li>can't  deploy Windows 10 operating systems.|
 
 *Table 4. Configuration setting management methods*
 
@@ -261,8 +261,8 @@ Use the information in Table 6 to determine which combination of app and update
 |Selection|Management method|
 |--- |--- |
 |Microsoft Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:<li>Selected Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<li>Want to manage AD DS domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Want to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy Windows 10 operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large numbers of users and devices.<br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
-|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that aren't  domain joined.<li>Want to manage Azure AD domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>can't  deploy Windows 10 operating systems.|
-|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br><br>Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br><br>Select this method when you:<br><li>Selected Microsoft Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Azure AD domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br><br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br><br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Carries an extra cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Microsoft Entra ID.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that aren't  domain joined.<li>Want to manage Microsoft Entra domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an extra cost for Intune subscription licenses.<li>can't  deploy Windows 10 operating systems.|
+|Microsoft Configuration Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br><br>Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br><br>Select this method when you:<br><li>Selected Microsoft Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Microsoft Entra domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br><br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesn’t require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br><br>The disadvantages of this method are that it:<li>Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).<li>Carries an extra cost for Windows Server licenses and the corresponding server hardware.<li>Carries an extra cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
 
 *Table 6. App and update management products*
 
@@ -428,7 +428,7 @@ Now that you've created your new Office 365 Education subscription, add the doma
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Microsoft Entra Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
@@ -450,7 +450,7 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi
 *Table 10. Windows PowerShell commands to enable or disable automatic tenant join*
 
 > [!NOTE]
-> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+> If your institution has AD DS, then disable automatic tenant join. Instead, use Microsoft Entra integration with AD DS to add users to your Office 365 tenant.
 
 ### Disable automatic licensing
 
@@ -468,129 +468,143 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
 
 *Table 11. Windows PowerShell commands to enable or disable automatic licensing*
 
-### Enable Azure AD Premium
+<a name='enable-azure-ad-premium'></a>
 
-When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD-integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+### Enable Microsoft Entra ID P1 or P2
 
-Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+When you create your Office 365 subscription, you create an Office 365 tenant that includes a Microsoft Entra directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Microsoft Entra integrated apps. Microsoft Entra ID is available in Free, Basic, and Premium editions. Microsoft Entra ID Free, which is included in Office 365 Education, has fewer features than Microsoft Entra Basic, which in turn has fewer features than Microsoft Entra ID P1 or P2.
 
-The following Azure AD Premium features aren't  in Azure AD Basic:
+Educational institutions can obtain Microsoft Entra Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Microsoft Entra ID access by completing the steps in [Step 3: Activate your Microsoft Entra ID access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+
+The following Microsoft Entra ID P1 or P2 features aren't  in Microsoft Entra Basic:
 
 * Allow designated users to manage group membership
 * Dynamic group membership based on user metadata
-* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks))
+* Microsoft Entra multifactor authentication (MFA; see [What is Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-howitworks))
 * Identify cloud apps that your users run
 * Self-service recovery of BitLocker
 * Add local administrator accounts to Windows 10 devices
-* Azure AD Connect health monitoring
+* Microsoft Entra Connect Health monitoring
 * Extended reporting capabilities
 
-You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+You can assign Microsoft Entra ID P1 or P2 licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 to only those users.
 
-You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process.
+You can sign up for Microsoft Entra ID P1 or P2, and then assign licenses to users. In this section, you sign up for Microsoft Entra ID P1 or P2. You'll assign Microsoft Entra ID P1 or P2 licenses to users later in the deployment process.
 
 For more information about:
 
-* Azure AD editions and the features in each, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
-* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
+* Microsoft Entra editions and the features in each, see [Microsoft Entra editions](/azure/active-directory/fundamentals/active-directory-whatis).
+* How to enable Microsoft Entra ID P1 or P2, see [Associate a Microsoft Entra directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
 
 #### Summary
 
-You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
+You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Microsoft Entra ID P1 or P2 enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
 
 ## Select an Office 365 user account–creation method
 
 Now that you've an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision:
 
-* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain.
-* Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+* Method 1: Automatically synchronize your on-premises AD DS domain with Microsoft Entra ID. Select this method if you've an on-premises AD DS domain.
+* Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Microsoft Entra ID. Select this method if you don’t have an on-premises AD DS domain.
 
-### Method 1: Automatic synchronization between AD DS and Azure AD
+<a name='method-1-automatic-synchronization-between-ad-ds-and-azure-ad'></a>
 
-In this method, you've an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+### Method 1: Automatic synchronization between AD DS and Microsoft Entra ID
+
+In this method, you've an on-premises AD DS domain. As shown in Figure 5, the Microsoft Entra Connector tool automatically synchronizes AD DS with Microsoft Entra ID. When you add or change any user accounts in AD DS, the Microsoft Entra Connector tool automatically updates Microsoft Entra ID.
 
 > [!NOTE]
-> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
+> Microsoft Entra Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
 
 > [!div class="mx-imgBorder"]
-> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
+> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Microsoft Entra ID")
 
-*Figure 5. Automatic synchronization between AD DS and Azure AD*
+*Figure 5. Automatic synchronization between AD DS and Microsoft Entra ID*
 
-For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section later in this guide.
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Microsoft Entra ID](#integrate-on-premises-ad-ds-with-azure-ad) section later in this guide.
 
-### Method 2: Bulk import into Azure AD from a .csv file
+<a name='method-2-bulk-import-into-azure-ad-from-a-csv-file'></a>
 
-In this method, you've no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+### Method 2: Bulk import into Microsoft Entra ID from a .csv file
+
+In this method, you've no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Microsoft Entra ID. The .csv file must be in the format that Office 365 specifies.
 
 > [!div class="mx-imgBorder"]
-> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
+> ![Bulk import into Microsoft Entra ID from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Microsoft Entra ID from other sources")
 
-*Figure 6. Bulk import into Azure AD from other sources*
+*Figure 6. Bulk import into Microsoft Entra ID from other sources*
 
 To implement this method, perform the following steps:
 
 1. Export the student information from the source.
 
    Put the student information in the format the bulk-import feature requires.
-2. Bulk-import the student information into Azure AD.
+2. Bulk-import the student information into Microsoft Entra ID.
 
    For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.
 
 #### Summary
 
-In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Microsoft Entra ID (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
 
-## Integrate on-premises AD DS with Azure AD
+<a name='integrate-on-premises-ad-ds-with-azure-ad'></a>
 
-You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+## Integrate on-premises AD DS with Microsoft Entra ID
+
+You can integrate your on-premises AD DS domain with Microsoft Entra ID to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Microsoft Entra ID with the Microsoft Entra Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
 
 > [!NOTE]
 > If your institution doesn't  have an on-premises AD DS domain, you can skip this section.
 
 ### Select a synchronization model
 
-Before you deploy AD DS and Azure AD synchronization, determine where you want to deploy the server that runs Azure AD Connect.
+Before you deploy AD DS and Microsoft Entra synchronization, determine where you want to deploy the server that runs Microsoft Entra Connect.
 
-You can deploy the Azure AD Connect tool:
+You can deploy the Microsoft Entra Connect tool:
 
-- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises.** As shown in Figure 7, Microsoft Entra Connect runs on premises which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
+  > ![Microsoft Entra Connect on premises.](images/edu-districtdeploy-fig7.png "Microsoft Entra Connect on premises")
 
-  *Figure 7. Azure AD Connect on premises*
+  *Figure 7. Microsoft Entra Connect on premises*
 
-- **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+- **In Azure.** As shown in Figure 8, Microsoft Entra Connect runs on a VM in Microsoft Entra ID, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
+  > ![Microsoft Entra Connect in Azure.](images/edu-districtdeploy-fig8.png "Microsoft Entra Connect in Azure")
 
-  *Figure 8. Azure AD Connect in Azure*
+  *Figure 8. Microsoft Entra Connect in Azure*
 
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
+This guide describes how to run Microsoft Entra Connect on premises. For information about running Microsoft Entra Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
 
-### Deploy Azure AD Connect on premises
+<a name='deploy-azure-ad-connect-on-premises'></a>
 
-In this synchronization model (illustrated in Figure 7), you run Azure AD Connect on premises on a physical device or in a VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD and includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+### Deploy Microsoft Entra Connect on premises
 
-#### To deploy AD DS and Azure AD synchronization
+In this synchronization model (illustrated in Figure 7), you run Microsoft Entra Connect on premises on a physical device or in a VM. Microsoft Entra Connect synchronizes AD DS user and group accounts with Microsoft Entra ID and includes a wizard that helps you configure Microsoft Entra Connect for your AD DS domain and Office 365 subscription. First, you install Microsoft Entra Connect; then, you run the wizard to configure it for your institution.
 
-1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](/azure/active-directory/cloud-sync/how-to-prerequisites).
+<a name='to-deploy-ad-ds-and-azure-ad-synchronization'></a>
 
-2. In the VM or on the physical device that will run Azure AD Connect, sign in with a domain administrator account.
+#### To deploy AD DS and Microsoft Entra synchronization
 
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
+1. Configure your environment to meet the prerequisites for installing Microsoft Entra Connect by performing the steps in [Prerequisites for Microsoft Entra Connect](/azure/active-directory/cloud-sync/how-to-prerequisites).
 
-4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
+2. In the VM or on the physical device that will run Microsoft Entra Connect, sign in with a domain administrator account.
 
-Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+3. Install Microsoft Entra Connect by performing the steps in [Install Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
+
+4. Configure Microsoft Entra Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
+
+Now that you've used on premises Microsoft Entra Connect to deploy AD DS and Microsoft Entra synchronization, you’re ready to verify that Microsoft Entra Connect is synchronizing AD DS user and group accounts with Microsoft Entra ID.
 
 ### Verify synchronization
 
-Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+Microsoft Entra Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Microsoft Entra ID in the Office 365 admin console.
 
-#### To verify AD DS and Azure AD synchronization
+<a name='to-verify-ad-ds-and-azure-ad-synchronization'></a>
+
+#### To verify AD DS and Microsoft Entra synchronization
 
 1. Open https://portal.office.com in your web browser.
 
@@ -611,11 +625,11 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
    The list of security group members should mirror the group membership for the corresponding security group in AD DS.
 8. Close the browser.
 
-Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+Now that you've verified Microsoft Entra Connect synchronization, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
 #### Summary
 
-In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+In this section, you selected your synchronization model, deployed Microsoft Entra Connect, and verified that Microsoft Entra ID is synchronizing properly.
 
 ## Bulk-import user and group accounts into AD DS
 
@@ -663,7 +677,7 @@ For more information about how to import user accounts into AD DS by using:
 
 #### Summary
 
-In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you've Microsoft Entra Connect, it automatically synchronizes the new AD DS user and group accounts to Microsoft Entra ID. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2 in the [Assign user licenses for Microsoft Entra ID P1 or P2](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
 
 ## Bulk-import user and group accounts into Office 365
 
@@ -674,7 +688,7 @@ You can bulk-import user and group accounts directly into Office 365, reducing t
 Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
 
 > [!NOTE]
-> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you've many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
 
@@ -692,7 +706,7 @@ The email accounts are assigned temporary passwords on creation. You must commun
 Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
 
 > [!NOTE]
-> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
@@ -715,13 +729,15 @@ For information about creating email distribution groups, see [Create a Microsof
 
 #### Summary
 
-You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
-## Assign user licenses for Azure AD Premium
+<a name='assign-user-licenses-for-azure-ad-premium'></a>
 
-If you enabled Azure AD Premium in the [Enable Azure AD Premium](#enable-azure-ad-premium) section, you must now assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+## Assign user licenses for Microsoft Entra ID P1 or P2
 
-For more information about assigning user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+If you enabled Microsoft Entra ID P1 or P2 in the [Enable Microsoft Entra ID P1 or P2](#enable-azure-ad-premium) section, you must now assign Microsoft Entra ID P1 or P2 licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 only to those users.
+
+For more information about assigning user licenses for Microsoft Entra ID P1 or P2, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
 
 ## Create and configure a Microsoft Store for Business portal
 
@@ -1048,7 +1064,7 @@ Use the information in Table 17 to help you determine whether you need to config
 
 |Recommendation|Description|
 |--- |--- |
-|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't  use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br>**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. <br>**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.<br>****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
+|Use of Microsoft accounts|You want faculty and students to use only Microsoft Entra accounts for institution-owned devices. For these devices, don't  use Microsoft accounts or associate a Microsoft account with the Microsoft Entra accounts.<br>**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Microsoft Entra account on these devices. <br>**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.<br>****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
 |Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br>**Group Policy**. Create a Local Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. <br>**Intune**. Not available.|
 |Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br> **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br> **Intune**. Not available.|
 |Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br>**Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?<br>**Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index cdae48880d..d1c9aea19e 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows 10 in a school 
-description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID. Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
@@ -9,7 +9,7 @@ appliesto:
 
 # Deploy Windows 10 in a school
 
-This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Entra ID; and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for school deployment
 
@@ -46,8 +46,8 @@ This school configuration has the following characteristics:
   > [!NOTE]
   > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
 
-- The devices use Azure AD in Office 365 Education for identity management.
-- If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+- The devices use Microsoft Entra ID in Office 365 Education for identity management.
+- If you've on-premises AD DS, you can [integrate Microsoft Entra ID with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 - Use [Intune](/mem/intune/), [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up), or Group Policy in AD DS to manage devices.
 - Each device supports a one-student-per-device or multiple-students-per-device scenario.
 - The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
@@ -97,11 +97,11 @@ The high-level process for deploying and configuring devices within individual c
 
 1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
 2. On the admin device, create and configure the Office 365 Education subscription that you'll use for each classroom in the school.
-3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration).
+3. On the admin device, configure integration between on-premises AD DS and Microsoft Entra ID (if you've an on premises AD DS configuration).
 4. On the admin device, create and configure a Microsoft Store for Business portal.
 5. On the admin device, prepare for management of the Windows 10 devices after deployment.
 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
-7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
+7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Microsoft Entra integration.
 
 :::image type="content" source="images/deploy-win-10-school-figure3.png" alt-text="See the high level process of configuring Windows client devices in a classroom and the school":::
 
@@ -236,7 +236,7 @@ Now that you've created your new Office 365 Education subscription, add the doma
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Microsoft Entra Connect, then automatic tenant join is disabled.
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
@@ -261,7 +261,7 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by
 ---
 
 > [!NOTE]
-> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+> If your institution has AD DS, then disable automatic tenant join. Instead, use Microsoft Entra integration with AD DS to add users to your Office 365 tenant.
 
 ### Disable automatic licensing
 
@@ -282,13 +282,15 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
 
 ---
 
-### Enable Azure AD Premium
+<a name='enable-azure-ad-premium'></a>
 
-When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD has different editions, which may include Office 365 Education. For more information, see [Introduction to Azure Active Directory Tenants](/microsoft-365/education/deploy/intro-azure-active-directory).
+### Enable Microsoft Entra ID P1 or P2
 
-Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+When you create your Office 365 subscription, you create an Office 365 tenant that includes a Microsoft Entra directory. Microsoft Entra ID is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Microsoft Entra ID–integrated apps. Microsoft Entra ID has different editions, which may include Office 365 Education. For more information, see [Introduction to Microsoft Entra tenants](/microsoft-365/education/deploy/intro-azure-active-directory).
 
-The Azure AD Premium features that aren't in Azure AD Basic include:
+Educational institutions can obtain Microsoft Entra Basic edition licenses at no cost. After you obtain your licenses, activate your Microsoft Entra ID access by completing the steps in [Step 3: Activate your Microsoft Entra ID access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
+
+The Microsoft Entra ID P1 or P2 features that aren't in Microsoft Entra Basic include:
 
 - Allow designated users to manage group membership
 - Dynamic group membership based on user metadata
@@ -297,104 +299,116 @@ The Azure AD Premium features that aren't in Azure AD Basic include:
 - Automatic enrollment in a mobile device management (MDM) system (such as Intune)
 - Self-service recovery of BitLocker
 - Add local administrator accounts to Windows 10 devices
-- Azure AD Connect health monitoring
+- Microsoft Entra Connect Health monitoring
 - Extended reporting capabilities
 
-You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+You can assign Microsoft Entra ID P1 or P2 licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 to only those users.
 
-You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process.
+You can sign up for Microsoft Entra ID P1 or P2, and then assign licenses to users. In this section, you sign up for Microsoft Entra ID P1 or P2. You'll assign Microsoft Entra ID P1 or P2 licenses to users later in the deployment process.
 
 For more information, see:
 
-- [Azure Active Directory licenses](/azure/active-directory/fundamentals/active-directory-whatis)
-- [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium)
+- [Microsoft Entra ID licenses](/azure/active-directory/fundamentals/active-directory-whatis)
+- [Sign up for Microsoft Entra ID P1 or P2](/azure/active-directory/fundamentals/active-directory-get-started-premium)
 
 ### Summary
-You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Microsoft Entra ID P1 or P2 enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
 
 ## Select an Office 365 user account–creation method
 
 
 Now that you've an Office 365 subscription, you need to determine how you'll create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
 
-- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain.
-- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Microsoft Entra ID. Select this method if you've an on-premises AD DS domain.
+- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Microsoft Entra ID. Select this method if you don’t have an on-premises AD DS domain.
 
-### Method 1: Automatic synchronization between AD DS and Azure AD
+<a name='method-1-automatic-synchronization-between-ad-ds-and-azure-ad'></a>
 
-In this method, you've an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+### Method 1: Automatic synchronization between AD DS and Microsoft Entra ID
+
+In this method, you've an on-premises AD DS domain. As shown in Figure 4, the Microsoft Entra Connector tool automatically synchronizes AD DS with Microsoft Entra ID. When you add or change any user accounts in AD DS, the Microsoft Entra Connector tool automatically updates Microsoft Entra ID.
 
 > [!NOTE]
-> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap).
+> Microsoft Entra Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Microsoft Entra ID](/azure/active-directory/fundamentals/sync-ldap).
 
 :::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Directory Services and Azure AD.":::
 
-*Figure 4. Automatic synchronization between AD DS and Azure AD*
+*Figure 4. Automatic synchronization between AD DS and Microsoft Entra ID*
 
-For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Microsoft Entra ID](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
 
-### Method 2: Bulk import into Azure AD from a .csv file
+<a name='method-2-bulk-import-into-azure-ad-from-a-csv-file'></a>
 
-In this method, you've no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies.
+### Method 2: Bulk import into Microsoft Entra ID from a .csv file
+
+In this method, you've no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Microsoft Entra ID. The `.csv` file must be in the format that Office 365 specifies.
 
 :::image type="content" source="images/deploy-win-10-school-figure5.png" alt-text="Create a csv file with student information, and import the csv file into Azure AD.":::
 
-*Figure 5. Bulk import into Azure AD from other sources*
+*Figure 5. Bulk import into Microsoft Entra ID from other sources*
 
 To implement this method, perform the following steps:
 
 1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires.
-2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
+2. Bulk-import the student information into Microsoft Entra ID. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
 
 ### Summary
 
-In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Microsoft Entra ID (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
 
-## Integrate on-premises AD DS with Azure AD
+<a name='integrate-on-premises-ad-ds-with-azure-ad'></a>
 
-You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+## Integrate on-premises AD DS with Microsoft Entra ID
+
+You can integrate your on-premises AD DS domain with Microsoft Entra ID to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Microsoft Entra ID with the Microsoft Entra Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
 
 > [!NOTE]
 > If your institution doesn't have an on-premises AD DS domain, you can skip this section.
 
 ### Select synchronization model
 
-Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect.
+Before you deploy AD DS and Microsoft Entra synchronization, you need to determine where you want to deploy the server that runs Microsoft Entra Connect.
 
-You can deploy the Azure AD Connect tool by using one of the following methods:
+You can deploy the Microsoft Entra Connect tool by using one of the following methods:
 
-- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises**: As shown in Figure 6, Microsoft Entra Connect runs on premises, which have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
-  :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine.":::
+  :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Microsoft Entra Connect runs on-premises and uses a virtual machine.":::
 
-  *Figure 6. Azure AD Connect on premises*
+  *Figure 6. Microsoft Entra Connect on premises*
 
-- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+- **In Azure**: As shown in Figure 7, Microsoft Entra Connect runs on a VM in Microsoft Entra which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
-  :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Azure AD Connect runs on a VM in Azure AD, and uses a VPN gateway on-premises.":::
+  :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Microsoft Entra Connect runs on a VM in Microsoft Entra ID, and uses a VPN gateway on-premises.":::
 
-  *Figure 7. Azure AD Connect in Azure*
+  *Figure 7. Microsoft Entra Connect in Azure*
 
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
+This guide describes how to run Microsoft Entra Connect on premises. For information about running Microsoft Entra Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
 
-### Deploy Azure AD Connect on premises
+<a name='deploy-azure-ad-connect-on-premises'></a>
 
-In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+### Deploy Microsoft Entra Connect on premises
 
-#### To deploy AD DS and Azure AD synchronization
+In this synchronization model (illustrated in Figure 6), you run Microsoft Entra Connect on premises on a physical device or VM. Microsoft Entra Connect synchronizes AD DS user and group accounts with Microsoft Entra ID. Microsoft Entra Connect includes a wizard that helps you configure Microsoft Entra Connect for your AD DS domain and Office 365 subscription. First, you install Microsoft Entra Connect; then, you run the wizard to configure it for your institution.
 
-1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites).
-2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation).
-4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+<a name='to-deploy-ad-ds-and-azure-ad-synchronization'></a>
 
-Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+#### To deploy AD DS and Microsoft Entra synchronization
+
+1. Configure your environment to meet the prerequisites for installing Microsoft Entra Connect by performing the steps in [Prerequisites for Microsoft Entra Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites).
+2. On the VM or physical device that will run Microsoft Entra Connect, sign in with a domain administrator account.
+3. Install Microsoft Entra Connect by performing the steps in [Install Microsoft Entra Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation).
+4. Configure Microsoft Entra Connect features based on your institution’s requirements. For more information, see [Microsoft Entra Connect Sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+
+Now that you've used on premises Microsoft Entra Connect to deploy AD DS and Microsoft Entra synchronization, you’re ready to verify that Microsoft Entra Connect is synchronizing AD DS user and group accounts with Microsoft Entra ID.
 
 ### Verify synchronization
 
-Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+Microsoft Entra Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Microsoft Entra ID in the Office 365 admin console.
 
-#### To verify AD DS and Azure AD synchronization
+<a name='to-verify-ad-ds-and-azure-ad-synchronization'></a>
+
+#### To verify AD DS and Microsoft Entra synchronization
 
 1. In your web browser, go to [https://portal.office.com](https://portal.office.com).
 2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
@@ -406,11 +420,11 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
 8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
 9. Close the browser.
 
-Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+Now that you've verified Microsoft Entra Connect synchronization, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
 ### Summary
 
-In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+In this section, you selected your synchronization model, deployed Microsoft Entra Connect, and verified that Microsoft Entra ID is synchronizing properly.
 
 ## Bulk-import user and group accounts into AD DS
 
@@ -464,7 +478,7 @@ For more information about how to import user accounts into AD DS by using:
 
 ### Summary
 
-In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you've Microsoft Entra Connect, it automatically synchronizes the new AD DS user and group accounts to Microsoft Entra ID. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2 in the [Assign user licenses for Microsoft Entra ID P1 or P2](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
 
 ## Bulk-import user accounts into Office 365
 
@@ -490,7 +504,7 @@ The email accounts are assigned temporary passwords upon creation. Communicate t
 Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
 
 > [!NOTE]
-> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 For information about creating security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups).
 
@@ -512,18 +526,20 @@ For information about how to create security groups, see [Create a group in the
 
 ### Summary
 
-Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Microsoft Entra ID P1 or P2.
 
-## Assign user licenses for Azure AD Premium
+<a name='assign-user-licenses-for-azure-ad-premium'></a>
 
-Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost.
+## Assign user licenses for Microsoft Entra ID P1 or P2
 
-You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+Microsoft Entra ID is available in Free, Basic, and Premium editions. Microsoft Entra ID Free, which is included in Office 365 Education, has fewer features than Microsoft Entra Basic, which in turn has fewer features than Microsoft Entra ID P1 or P2. Educational institutions can obtain Microsoft Entra Basic licenses at no cost and Microsoft Entra ID P1 or P2 licenses at a reduced cost.
+
+You can assign Microsoft Entra ID P1 or P2 licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Microsoft Entra ID P1 or P2 only to those users.
 
 For more information about:
 
-- Azure AD editions, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
-- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+- Microsoft Entra editions, see [Microsoft Entra editions](/azure/active-directory/fundamentals/active-directory-whatis).
+- How to assign user licenses for Microsoft Entra ID P1 or P2, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
 
 ## Create and configure a Microsoft Store for Business portal
 
@@ -546,7 +562,7 @@ To create and configure your Microsoft Store for Business portal, use the admini
 1. In Microsoft Edge or Internet Explorer, go to [https://microsoft.com/business-store](https://microsoft.com/business-store).
 2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
 
-    If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+    If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Microsoft Entra integration to synchronize the security groups with your Office 365 tenant.
 
 1. On the Microsoft Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
 2. On the **Microsoft Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
@@ -716,7 +732,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 ---
 | Recommendation | Description |
 | --- | --- |
-| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>**Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
+| **Use of Microsoft accounts** | You want faculty and students to use only Microsoft Entra accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Microsoft Entra accounts.<br/><br/>Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Microsoft Entra account on these devices.<br/><br/>**Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.<br/><br/>**Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
 | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>**Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).<br/><br/>**Intune**: Not available |
 | **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.<br/><br/>**Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You'll specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br/><br/>**Intune**: Not available. |
 | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>**Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).<br/><br/>**Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. |
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index fc74fcd614..d343391f22 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -1,7 +1,7 @@
 ---
 title: Deployment recommendations for school IT administrators
 description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
-ms.topic: conceptual
+ms.topic: best-practice
 ms.date: 08/10/2022
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index 56094c8023..d3a6d97411 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -33,14 +33,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
+[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
 
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 
-[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
 
 > [!TIP]
 > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md
index 10c843fc0b..d09c408d8a 100644
--- a/education/windows/edu-take-a-test-kiosk-mode.md
+++ b/education/windows/edu-take-a-test-kiosk-mode.md
@@ -53,7 +53,7 @@ To configure devices using Intune for Education, follow these steps:
 
 ### Configure Take a Test with a custom policy
 
-[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
+[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
 
 | Setting |
 |--------|
@@ -67,8 +67,8 @@ To configure devices using Intune for Education, follow these steps:
 
 :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
 
-[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -199,7 +199,7 @@ To create a local account, and configure Take a Test in kiosk mode using the Set
    :::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true":::
 
    > [!NOTE]  
-   > To sign-in with a local account on a device that is joined to Azure AD or Active Directory, you must prefix the username with either `<computername>\` or `.\`.
+   > To sign-in with a local account on a device that is joined to Microsoft Entra ID or Active Directory, you must prefix the username with either `<computername>\` or `.\`.
 
 ---
 
@@ -219,4 +219,4 @@ The following animation shows the process of signing in to the test-taking accou
 [MEM-2]: /mem/intune/configuration/settings-catalog
 
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
\ No newline at end of file
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md
index bd941025f7..c30c7fd79a 100644
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@@ -1,7 +1,7 @@
 ---
 title: Configure education themes for Windows 11
 description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
-ms.date: 09/15/2022
+ms.date: 09/11/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -12,25 +12,30 @@ appliesto:
 
 Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
 
-:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
+:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Screenshot of Windows 11 desktop with 3 stickers" border="true":::
 
 Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
-Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
+Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it.
 
 ## Enable education themes
 
-Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+Education themes aren't enabled by default. The following instructions describe how to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
+[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Education | Enable Edu Themes | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
 
 | Setting |
 |--------|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
-
-[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`<br>**Data type**: int<br>**Value**: `1`|
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -46,15 +51,15 @@ Follow the steps in [Apply a provisioning package][WIN-2] to apply the package t
 
 ## How to use the education themes
 
-Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
+Once the education themes are enabled, the device downloads them as soon as a user signs in to the device.
 
 To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
 
-:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
+:::image type="content" source="./images/win-11-se-themes.png" alt-text="Screenshot of Windows 11 education themes selection" border="true":::
 
 -----------
 
-[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
 
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
\ No newline at end of file
+[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 0d98af99f7..4c9144fdb9 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,13 +1,12 @@
 ---
 title: Configure federated sign-in for Windows devices
-description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 05/01/2023
+description: Learn how federated sign-in in Windows works and how to configure it.
+ms.date: 09/11/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:
-  - highpri
   - tier1
   - education
 ---
@@ -16,7 +15,7 @@ ms.collection:
 
 Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
 This feature is called *federated sign-in*.\
-Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 
 ## Benefits of federated sign-in
 
@@ -29,27 +28,27 @@ With fewer credentials to remember and a simplified sign-in process, students ar
 
 To implement federated sign-in, the following prerequisites must be met:
 
-1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Azure AD?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
+1. A Microsoft Entra tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Microsoft Entra ID?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
     >[!NOTE]
-    >If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
+    >If your organization uses a third-party federation solution, you can configure single sign-on to Microsoft Entra ID if the solution is compatible with Microsoft Entra ID. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these [guidelines][MSFT-1].
 
-    - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
-    - For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
+    - For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Microsoft Entra ID, see [Configure federation between Google Workspace and Microsoft Entra ID](configure-aad-google-trust.md)
+    - For a step-by-step guide on how to configure **Clever** as an identity provider for Microsoft Entra ID, see [Setup guide for Badges into Windows and Microsoft Entra ID][EXT-1]
 1. Individual IdP accounts created: each user requires an account defined in the third-party IdP platform
-1. Individual Azure AD accounts created: each user requires a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
+1. Individual Microsoft Entra accounts created: each user requires a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
     - [School Data Sync (SDS)][SDS-1]
-    - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
+    - [Microsoft Entra Connect Sync][AZ-3] for environment with on-premises AD DS
     - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
     - provisioning tools offered by the IdP
 
-    For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
-1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
+    For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
+1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
 1. Enable federated sign-in on the Windows devices
 
 To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
 
 > [!IMPORTANT]
-> WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAML 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
+> WS-Fed is the only supported federated protocol to join a device to Microsoft Entra ID. If you have a SAML 2.0 IdP, it's recommended to complete the Microsoft Entra join process using one of the following methods:
 > - Provisioning packages (PPKG)
 > - Windows Autopilot self-deploying mode
 
@@ -77,21 +76,25 @@ To use web sign-in with a federated identity provider, your devices must be conf
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
 
-[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
+| Category | Setting name | Value |
+|--|--|--|
+| Education | Is Education Environment | Enabled |
+| Federated Authentication | Enable Web Sign In For Primary User | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
 
 | Setting |
 |--------|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
-
-:::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
-
-[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`<br>**Data type**: int<br>**Value**: `1`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`<br>**Data type**: int<br>**Value**: `1`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** <br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -99,12 +102,12 @@ To configure federated sign-in using a provisioning package, use the following s
 
 | Setting |
 |--------|
-| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
-| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
-| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
-| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
+| **Path**: `Education/IsEducationEnvironment` <br>**Value**: Enabled|
+| **Path**: `FederatedAuthentication/EnableWebSignInForPrimaryUser` <br>**Value**: Enabled|
+| **Path**: `Policies/Authentication/ConfigureWebSignInAllowedUrls` <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
+| **Path**: `Policies/Authentication/ConfigureWebCamAccessDomainNames` <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
 
-:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
+:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
 
 Apply the provisioning package to the single-user devices that require federated sign-in.
 
@@ -119,20 +122,27 @@ To use web sign-in with a federated identity provider, your devices must be conf
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
 
-[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
+| Category | Setting name | Value |
+|--|--|--|
+| Education | Is Education Environment | Enabled |
+| SharedPC | Enable Shared PC Mode With OneDrive Sync | True |
+| Authentication | Enable Web Sign In | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
 
 | Setting |
 |--------|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
-
-[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
-[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`<br>**Data type**: int<br>**Value**: `1`|
+| **OMA-URI**: `./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`<br>**Data type**: Boolean<br>**Value**: True|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`<br>**Data type**: Integer<br>**Value**: `1`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
+| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`<br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -140,11 +150,11 @@ To configure federated sign-in using a provisioning package, use the following s
 
 | Setting |
 |--------|
-| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
-| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Value: **True**</li>|
-| <li> Path: **`Policies/Authentication/EnableWebSignIn`** </li><li>Value: **Enabled**</li>|
-| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
-| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
+| <li> Path: **`Education/IsEducationEnvironment`**<br>Value: **Enabled**|
+| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`**<br>Value: **True**|
+| <li> Path: **`Policies/Authentication/EnableWebSignIn`**<br>Value: **Enabled**|
+| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
+| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
 
 Apply the provisioning package to the shared devices that require federated sign-in.
 
@@ -159,11 +169,11 @@ Once the devices are configured, a new sign-in experience becomes available.
 
 As users enter their username, they're redirected to the identity provider sign-in page. Once the Idp authenticates the users, they're signed-in. In the following animation, you can observe how the first sign-in process works for a student assigned (1:1) device:
 
-:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
+:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
 
 > [!IMPORTANT]
 > For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
-> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Azure AD tenant name is configured.
+> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Microsoft Entra tenant name is configured.
 
 ## Important considerations
 
@@ -186,29 +196,33 @@ The following issues are known to affect student shared devices:
 
 For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3].
 
-### Preferred Azure AD tenant name
+<a name='preferred-azure-ad-tenant-name'></a>
 
-To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\
-When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
+### Preferred Microsoft Entra tenant name
+
+To improve the user experience, you can configure the *preferred Microsoft Entra tenant name* feature.\
+When using preferred Microsoft Entra tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
 
 For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
 
-### Identity matching in Azure AD
+<a name='identity-matching-in-azure-ad'></a>
 
-When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD.
-After the token sent by the IdP is validated, Azure AD searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
+### Identity matching in Microsoft Entra ID
+
+When a Microsoft Entra user is federated, the user's identity from the IdP must match an existing user object in Microsoft Entra ID.
+After the token sent by the IdP is validated, Microsoft Entra ID searches for a matching user object in the tenant by using an attribute called *ImmutableId*.
 
 > [!NOTE]
 > The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it.
 
 If the matching object is found, the user is signed-in. Otherwise, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
 
-:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
+:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Screenshot of Microsoft Entra sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
 
 > [!IMPORTANT]
 > The ImmutableId matching is case-sensitive.
 
-The ImmutableId is typically configured when the user is created in Azure AD, but it can also be updated later.\
+The ImmutableId is typically configured when the user is created in Microsoft Entra ID, but it can also be updated later.\
 In a scenario where a user is federated and you want to change the ImmutableId, you must:
 
 1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain)
@@ -245,7 +259,7 @@ Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@exa
 [GRAPH-1]: /graph/api/user-post-users?tabs=powershell
 
 [EXT-1]: https://support.clever.com/hc/s/articles/000001546
-[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
 
 [MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843
 
@@ -257,4 +271,4 @@ Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@exa
 [WIN-1]: /windows/client-management/mdm/sharedpc-csp
 [WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
 [WIN-3]: /windows/configuration/set-up-shared-or-guest-pc
-[WIN-4]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
\ No newline at end of file
+[WIN-4]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 3fb0972c89..4e8222d98d 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -2,9 +2,8 @@
 title: Get and deploy Minecraft Education
 description: Learn how to obtain and distribute Minecraft Education to Windows devices.
 ms.topic: how-to
-ms.date: 02/23/2023
+ms.date: 09/11/2023
 ms.collection:
-  - highpri
   - education
   - tier2
 ---
@@ -33,10 +32,10 @@ Users in a Microsoft-verified academic organization with Microsoft 365 accounts
 
 Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 365 admin center*, via volume licensing agreements, or through partner resellers.
 
-When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Azure Active Directory (Azure AD) tenant. If you don't have an Azure AD tenant:
+When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Microsoft Entra tenant. If you don't have a Microsoft Entra tenant:
 
-- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes an Azure AD tenant  
-- Non-Microsoft-verified academic organizations can set up a free Azure AD tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
+- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes a Microsoft Entra tenant  
+- Non-Microsoft-verified academic organizations can set up a free Microsoft Entra tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
 
 ### Direct purchase
 
diff --git a/education/windows/images/federated-sign-in-settings-intune.png b/education/windows/images/federated-sign-in-settings-intune.png
deleted file mode 100644
index bdde7cf85a..0000000000
Binary files a/education/windows/images/federated-sign-in-settings-intune.png and /dev/null differ
diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md
deleted file mode 100644
index d911751e75..0000000000
--- a/education/windows/includes/intune-custom-settings-1.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-ms.date: 02/22/2022
-ms.topic: include
----
-
-To configure devices with Microsoft Intune, use a custom policy:
-
-1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description > Next**
-6. Add the following settings:
\ No newline at end of file
diff --git a/education/windows/includes/intune-custom-settings-2.md b/education/windows/includes/intune-custom-settings-2.md
deleted file mode 100644
index 1a601acaa7..0000000000
--- a/education/windows/includes/intune-custom-settings-2.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 11/08/2022
-ms.topic: include
----
-
-7. Select **Next**
-8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-9. Under **Applicability Rules**, select **Next**
-10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/education/windows/includes/intune-custom-settings-info.md b/education/windows/includes/intune-custom-settings-info.md
deleted file mode 100644
index 8ff9da4294..0000000000
--- a/education/windows/includes/intune-custom-settings-info.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 11/08/2022
-ms.topic: include
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 691901dcf2..8d3a93691a 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -1,95 +1,181 @@
-### YamlMime:Landing
+### YamlMime:Hub
 
 title: Windows for Education documentation
-summary: Evaluate, plan, deploy, and manage Windows devices in an education environment
+summary: Learn how to deploy, secure, and manage Windows clients in an education environment.
+brand: windows
 
 metadata:
-  title: Windows for Education documentation
-  description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
-  ms.topic: landing-page
+  ms.topic: hub-page
   ms.prod: windows-client
   ms.technology: itpro-edu
   ms.collection:
-  - education
-  - highpri
-  - tier1
+    - education
+    - highpri
+    - tier1
   author: paolomatarazzo
   ms.author: paoloma
-  ms.date: 03/09/2023
   manager: aaroncz
+  ms.date: 07/28/2023
 
-landingContent: 
+highlightedContent:
+  items:
+  - title: Get started with Windows 11
+    itemType: get-started
+    url: /windows/whats-new/windows-11-overview
+  - title: Windows 11, version 22H2
+    itemType: whats-new
+    url: /windows/whats-new/whats-new-windows-11-version-22H2
+  - title: Windows 11, version 22H2 group policy settings reference 
+    itemType: download
+    url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
+  - title: Windows release health
+    itemType: whats-new
+    url: /windows/release-health
+  - title: Windows commercial licensing
+    itemType: overview
+    url: /windows/whats-new/windows-licensing
+  - title: Windows 365 documentation
+    itemType: overview
+    url: /windows-365
+  - title: Explore all Windows trainings and learning paths for IT pros
+    itemType: learn
+    url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
+  - title: Enroll Windows client devices in Microsoft Intune
+    itemType: how-to-guide
+    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
 
-  - title: Get started
-    linkLists:
-      - linkListType: tutorial
-        links:
-        - text: Deploy and manage Windows devices in a school
-          url: tutorial-school-deployment/index.md
-        - text: Prepare your tenant
-          url: tutorial-school-deployment/set-up-azure-ad.md
-        - text: Configure settings and applications with Microsoft Intune
-          url: tutorial-school-deployment/configure-devices-overview.md
-        - text: Manage devices with Microsoft Intune
-          url: tutorial-school-deployment/manage-overview.md
-        - text: Management functionalities for Surface devices
-          url: tutorial-school-deployment/manage-surface-devices.md     
+productDirectory:
+  title: Get started
+  items:
 
-  - title: Learn about Windows 11 SE
-    linkLists:
-      - linkListType: concept
-        links:
-        - text: What is Windows 11 SE?
-          url: windows-11-se-overview.md
-        - text: Windows 11 SE settings
-          url: windows-11-se-settings-list.md
-      - linkListType: whats-new
-        links:
-        - text: Configure federated sign-in
-          url: federated-sign-in.md
-        - text: Configure education themes
-          url: edu-themes.md
-        - text: Configure Stickers
-          url: edu-stickers.md
-      - linkListType: video
-        links:
-        - text: Deploy Windows 11 SE using Set up School PCs
-          url: https://www.youtube.com/watch?v=Ql2fbiOop7c
+    - title: Hardware security
+      imageSrc: /media/common/i_usb.svg
+      links:
+        - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
+          text: Trusted Platform Module
+        - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
+          text: Microsoft Pluton
+        - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
+          text: Windows Defender System Guard
+        - url: /windows-hardware/design/device-experiences/oem-vbs
+          text: Virtualization-based security (VBS)
+        - url: /windows-hardware/design/device-experiences/oem-highly-secure-11
+          text: Secured-core PC
+        - url: /windows/security/hardware-security
+          text: Learn more about hardware security >
 
-  - title: Deploy devices with Set up School PCs
-    linkLists:
-      - linkListType: concept
-        links:
-        - text: What is Set up School PCs?
-          url: set-up-school-pcs-technical.md
-      - linkListType: how-to-guide
-        links:
-        - text: Use the Set up School PCs app
-          url: use-set-up-school-pcs-app.md
-      - linkListType: reference
-        links:
-        - text: Provisioning package settings
-          url: set-up-school-pcs-provisioning-package.md
-      - linkListType: video
-        links:
-        - text: Use the Set up School PCs App
-          url: https://www.youtube.com/watch?v=2ZLup_-PhkA
+    - title: OS security
+      imageSrc: /media/common/i_threat-protection.svg
+      links:
+        - url: /windows/security/operating-system-security
+          text: Trusted boot
+        - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
+          text: Windows security settings
+        - url: 	/windows/security/operating-system-security/data-protection/bitlocker/
+          text: BitLocker
+        - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
+          text: Windows security baselines
+        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
+          text: MMicrosoft Defender SmartScreen
+        - url: /windows/security/operating-system-security
+          text: Learn more about OS security >
 
-  - title: Configure devices
-    linkLists:
-      - linkListType: concept
-        links:
-        - text: Take tests and assessments in Windows
-          url: take-tests-in-windows.md
-        - text: Considerations for shared and guest devices
-          url: /windows/configuration/shared-devices-concepts?context=/education/context/context
-        - text: Change Windows editions
-          url: change-home-to-edu.md
-      - linkListType: how-to-guide
-        links:
-        - text: Configure Take a Test in kiosk mode
-          url: edu-take-a-test-kiosk-mode.md
-        - text: Configure Shared PC
-          url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
-        - text: Get and deploy Minecraft Education
-          url: get-minecraft-for-education.md
\ No newline at end of file
+    - title: Identity protection
+      imageSrc: /media/common/i_identity-protection.svg
+      links:
+        - url: /windows/security/identity-protection/hello-for-business
+          text: Windows Hello for Business
+        - url: /windows/security/identity-protection/credential-guard
+          text: Credential Guard
+        - url: /windows-server/identity/laps/laps-overview
+          text: Windows LAPS (Local Administrator Password Solution)
+        - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
+          text: Enhanced phishing protection with SmartScreen
+        - url: /education/windows/federated-sign-in
+          text: Federated sign-in (EDU)
+        - url: /windows/security/identity-protection
+          text: Learn more about identity protection >
+
+    - title: Application security
+      imageSrc: /media/common/i_queries.svg
+      links:
+        - url: /windows/security/application-security/application-control/windows-defender-application-control/
+          text: Windows Defender Application Control (WDAC)
+        - url: /windows/security/application-security/application-control/user-account-control
+          text: User Account Control (UAC)
+        - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
+          text: Microsoft vulnerable driver blocklist
+        - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
+          text: Microsoft Defender Application Guard (MDAG)
+        - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
+          text: Windows Sandbox
+        - url: /windows/security/application-security
+          text: Learn more about application security >
+
+    - title: Security foundations
+      imageSrc: /media/common/i_build.svg
+      links:
+        - url: /windows/security/security-foundations/certification/fips-140-validation
+          text: FIPS 140-2 validation
+        - url: /windows/security/security-foundations/certification/windows-platform-common-criteria
+          text: Common Criteria Certifications
+        - url: /windows/security/security-foundations/msft-security-dev-lifecycle
+          text: Microsoft Security Development Lifecycle (SDL)
+        - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
+          text: Microsoft Windows Insider Preview bounty program
+        - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
+          text: OneFuzz service
+        - url: /windows/security/security-foundations
+          text: Learn more about security foundations >
+
+    - title: Cloud security
+      imageSrc: /media/common/i_cloud-security.svg
+      links:
+        - url: /mem/intune/protect/security-baselines
+          text: Security baselines with Intune
+        - url: /windows/deployment/windows-autopatch
+          text: Windows Autopatch
+        - url: /windows/deployment/windows-autopilot
+          text: Windows Autopilot
+        - url: /universal-print
+          text: Universal Print
+        - url: /windows/client-management/mdm/remotewipe-csp
+          text: Remote wipe
+        - url: /windows/security/cloud-security
+          text: Learn more about cloud security >
+
+additionalContent:
+  sections:
+    - title: More Windows resources
+      items:
+
+        - title: Windows Server
+          links:
+            - text: Windows Server documentation
+              url: /windows-server
+            - text: What's new in Windows Server 2022?
+              url: /windows-server/get-started/whats-new-in-windows-server-2022
+            - text: Windows Server blog
+              url: https://cloudblogs.microsoft.com/windowsserver/
+
+        - title: Windows product site and blogs
+          links:
+            - text: Find out how Windows enables your business to do more
+              url: https://www.microsoft.com/microsoft-365/windows
+            - text: Windows blogs
+              url: https://blogs.windows.com/
+            - text: Windows IT Pro blog
+              url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
+            - text: Microsoft Intune blog
+              url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog
+            - text: "Windows help & learning: end-user documentation"
+              url: https://support.microsoft.com/windows
+
+        - title: Participate in the community
+          links:
+            - text: Windows community
+              url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
+            - text: Microsoft Intune community
+              url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
+            - text: Microsoft Support community
+              url: https://answers.microsoft.com/windows/forum
\ No newline at end of file
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 012b66b62e..27bffd9a4e 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -1,20 +1,20 @@
 ---
-title: Azure AD Join with Set up School PCs app
-description: Learn how Azure AD Join is configured in the Set up School PCs app.
-ms.topic: conceptual
+title: Microsoft Entra join with Set up School PCs app
+description: Learn how Microsoft Entra join is configured in the Set up School PCs app.
+ms.topic: reference
 ms.date: 08/10/2022
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---  
 
-# Azure AD Join for school PCs  
+# Microsoft Entra join for school PCs  
 
 > [!NOTE]
->   Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
+>   Set up School PCs app uses Microsoft Entra join to configure PCs. The app is helpful if you use the cloud based directory, Microsoft Entra ID. If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
 >   Designer](set-up-students-pcs-to-join-domain.md) to 
 >   join your PCs to your school's domain.
 
-Set up School PCs lets you create a provisioning package that automates Azure AD
+Set up School PCs lets you create a provisioning package that automates Microsoft Entra ID
 Join on your devices. This feature eliminates the need to manually:
 
 -   Connect to your school's network.
@@ -22,23 +22,25 @@ Join on your devices. This feature eliminates the need to manually:
 
 ## Automated connection to school domain  
 
-During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
+During initial device setup, Microsoft Entra join automatically connects your PCs to your school's Microsoft Entra domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
 
-Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps:
+Students who sign in to their PCs with their Microsoft Entra credentials get access to on-premises apps and the following cloud apps:
 * Office 365
 * OneDrive
 * OneNote
 
-## Enable Azure AD Join  
+<a name='enable-azure-ad-join'></a>
 
-Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package.   
+## Enable Microsoft Entra join  
+
+Learn how to enable Microsoft Entra join for your school. After you configure this setting, you'll be able to request an automated Microsoft Entra bulk token, which you need to create a provisioning package.   
 
 1. Sign in to the Azure portal with your organization's credentials. 
 2. Go to **Azure
 Active Directory** \> **Devices** \> **Device settings**.  
 3. Enable the setting
-for Azure AD by selecting **All** or **Selected**. If you choose the latter
-option, select the teachers and IT staff to allow them to connect to Azure AD.  
+for Microsoft Entra ID by selecting **All** or **Selected**. If you choose the latter
+option, select the teachers and IT staff to allow them to connect to Microsoft Entra ID.  
 
 ![Select the users you want to let join devices to Azure AD.](images/suspcs/suspc-enable-shared-pc-1807.png)  
 
@@ -50,28 +52,30 @@ The following table describes each setting within **Device Settings**.
 
 | Setting                                                    | Description                                                                                                                                                                                                                                                                                                            |
 |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Users may join devices to Azure AD                         | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. |  
-| More local administrators on Azure AD-joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
-| Users may register their devices with Azure AD             | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
-| Require Multi-Factor Authentication to join devices                  | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication.                                                                                                             |
-| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added.                                                                                                                               |
-| Users may sync settings and enterprise app data            | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow.                                                                                                                                                  |
+| Users may join devices to Microsoft Entra ID                         | Choose the scope of people in your organization that are allowed to join devices to Microsoft Entra ID. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Microsoft Entra ID. |  
+| More local administrators on Microsoft Entra joined devices | Only applicable to Microsoft Entra ID P1 or P2 tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
+| Users may register their devices with Microsoft Entra ID             | Allow all or none of your users to register their devices with Microsoft Entra ID (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
+| Require Multi-Factor Authentication to join devices                  | Recommended when adding devices to Microsoft Entra ID. When set to **Yes**, users that are setting up devices must enter a second method of authentication.                                                                                                             |
+| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Microsoft Entra ID. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added.                                                                                                                               |
+| Users may sync settings and enterprise app data            | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Microsoft Entra ID P1 or P2 are permitted to select specific users to allow.                                                                                                                                                  |
 
-## Clear Azure AD tokens  
+<a name='clear-azure-ad-tokens'></a>
 
-Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
+## Clear Microsoft Entra tokens  
+
+Your Intune tenant can only have 500 active Microsoft Entra tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
 
 To reduce your inventory, clear out all unnecessary and inactive tokens.
-1. Go to **Azure Active Directory** > **Users** > **All users**  
+1. Go to **Microsoft Entra ID** > **Users** > **All users**  
 2. In the **User Name** column, select and delete all accounts with a **package\ _**
 prefix. These accounts are created at a 1:1 ratio for every token and are safe
 to delete.   
 3. Select and delete inactive and expired user accounts. 
 
 ### How do I know if my package expired?
-Automated Azure AD tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.  
+Automated Microsoft Entra tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.  
 
-![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspcs/suspc-admin-token-delete-1807.png)  
+![Screenshot of the Azure portal, Microsoft Entra ID, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspcs/suspc-admin-token-delete-1807.png)  
 
 ## Next steps    
 Learn more about setting up devices with the Set up School PCs app.  
@@ -79,4 +83,4 @@ Learn more about setting up devices with the Set up School PCs app.
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
 
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
\ No newline at end of file
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index 12ea6880b4..0396303749 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -52,8 +52,8 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 
 | Policy name | Default value | Description |
 |--|--|--|
-| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. |
-| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
+| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Microsoft Entra ID. |
+| BPRT | User-defined | Value is set automatically when signed in to Microsoft Entra ID. Allows you to create the provisioning package. |
 | WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. |
 | Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. |
 | Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates |
@@ -125,7 +125,7 @@ Review the table below to estimate your expected provisioning time. A package th
 
 Learn more about setting up devices with the Set up School PCs app.
 
-- [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+- [Microsoft Entra join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 - [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 - [Set up Windows 10 devices for education](set-up-windows-10.md)
 
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index f888895674..8dd635d04e 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -11,11 +11,13 @@ appliesto:
 
 The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs.
 
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
-School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity.  
+If your school uses Microsoft Entra ID or Office 365, the Set up
+School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity.  
 
-## Join PC to Azure Active Directory
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
+<a name='join-pc-to-azure-active-directory'></a>
+
+## Join PC to Microsoft Entra ID
+If your school uses Microsoft Entra ID or Office 365, the Set up
 School PCs app creates a setup file that joins your PC to your Azure Active
 Directory tenant. 
 
@@ -24,7 +26,7 @@ The app also helps set up PCs for use with or without Internet connectivity.
 ## List of Set up School PCs features
 The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription.
 
-| Feature                                                                                                | No Internet | Azure AD | Office 365 | Azure AD Premium |
+| Feature                                                                                                | No Internet | Microsoft Entra ID | Office 365 | Microsoft Entra ID P1 or P2 |
 |--------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------|
 | **Fast sign-in**                                                                                       | X           | X        | X          | X                |
 | Students sign in and start using the computer in under a minute, even on initial sign-in.              |             |          |            |                  |
@@ -34,25 +36,25 @@ The following table describes the Set up School PCs app features and lists each
 | Set up computers for use by anyone with or without an account.                                         |             |          |            |                  |
 | **School policies**                                                                                    | X           | X        | X          | X                |
 | Settings create a relevant, useful learning environment and optimal computer performance.              |             |          |            |                  |
-| **Azure AD Join**                                                                                      |             | X        | X          | X                |
-| Computers join with your existing Azure AD or Office 365 subscription for centralized management.      |             |          |            |                  |
+| **Microsoft Entra join**                                                                                      |             | X        | X          | X                |
+| Computers join with your existing Microsoft Entra ID or Office 365 subscription for centralized management.      |             |          |            |                  |
 | **Single sign-on to Office 365**                                                                       |             |          | X          | X                |
 | Students sign in with their IDs to access all Office 365 web apps or installed Office apps.            |             |          |            |                  |
 | **Take a Test app**                                                                                    |             |          |            | X                |
 | Administer quizzes and assessments through test providers such as Smarter Balanced.                    |             |          |            |                  |
-| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Azure AD** |             |          |            | X                |
+| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Microsoft Entra ID** |             |          |            | X                |
 | Synchronize student and application data across devices for a personalized experience.                 |             |          |            |                  |
 
 > [!NOTE]
 >   If your school uses Active Directory, use [Windows Configuration
 >   Designer](set-up-students-pcs-to-join-domain.md) 
 >   to configure your PCs to join the domain. You can only use the Set up School
->   PCs app to set up PCs that are connected to Azure AD.
+>   PCs app to set up PCs that are connected to Microsoft Entra ID.
 
 ## Next steps  
 Learn more about setting up devices with the Set up School PCs app.  
-* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Microsoft Entra join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
 * [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md) 
 
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
\ No newline at end of file
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index cf16da56b2..669dc2484c 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -16,7 +16,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
 
 - If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
 
-- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
+- If you want to provision a school PC to join Microsoft Entra ID, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
 
 ## Learn more
 
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index e30614fd73..784d5978ac 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -1,7 +1,7 @@
 ---
 title: Set up Windows devices for education
 description: Decide which option for setting up Windows 10 is right for you.
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 08/10/2022
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@@ -14,7 +14,7 @@ You have two tools to choose from to set up PCs for your classroom:
 - Set up School PCs 
 - Windows Configuration Designer
 
-Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
+Choose the tool that is appropriate for how your students will sign in (Active Directory, Microsoft Entra ID, or no account).
 
 You can use the following diagram to compare the tools.
 
@@ -30,4 +30,4 @@ You can use the following diagram to compare the tools.
 ## Related topics
 
 [Take tests in Windows](take-tests-in-windows.md)
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S
\ No newline at end of file
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S
diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md
index 2533467fca..d9663d6d32 100644
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@@ -2,7 +2,7 @@
 title: Take tests and assessments in Windows
 description: Learn about the built-in Take a Test app for Windows and how to use it.
 ms.date: 03/31/2023
-ms.topic: conceptual
+ms.topic: how-to
 ---
 
 # Take tests and assessments in Windows
diff --git a/education/windows/toc.yml b/education/windows/toc.yml
index d12a3eb854..708fd96a30 100644
--- a/education/windows/toc.yml
+++ b/education/windows/toc.yml
@@ -46,7 +46,7 @@ items:
       items:
       - name: Configure federated sign-in
         href: federated-sign-in.md
-      - name: Configure federation between Google Workspace and Azure AD
+      - name: Configure federation between Google Workspace and Microsoft Entra ID
         href: configure-aad-google-trust.md
     - name: Configure Shared PC
       href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context
@@ -74,7 +74,7 @@ items:
         items: 
           - name: Overview
             href: set-up-windows-10.md
-          - name: Azure AD join for school PCs
+          - name: Microsoft Entra join for school PCs
             href: set-up-school-pcs-azure-ad-join.md
           - name: Active Directory join for school PCs
             href: set-up-students-pcs-to-join-domain.md
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
index 075d9fe6d3..667695adba 100644
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@@ -8,7 +8,7 @@ ms.topic: tutorial
 # Configure settings and applications with Microsoft Intune
 
 Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
-Microsoft Intune uses Azure AD groups to assign policies and applications to devices.
+Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
 With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
 
 In this section you will:
@@ -55,4 +55,4 @@ With the groups created, you can configure policies and applications to deploy t
 
 [EDU-1]: /intune-education/create-groups
 [EDU-2]: /intune-education/edit-groups-intune-for-edu
-[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
\ No newline at end of file
+[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md
index 1dc7d9beeb..9cb7370124 100644
--- a/education/windows/tutorial-school-deployment/enroll-aadj.md
+++ b/education/windows/tutorial-school-deployment/enroll-aadj.md
@@ -1,20 +1,20 @@
 ---
 title: Enrollment in Intune with standard out-of-box experience (OOBE)
-description: Learn how to join devices to Azure AD from OOBE and automatically get them enrolled in Intune.
+description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
 ms.date: 08/31/2022
 ms.topic: tutorial
 ---
-# Automatic Intune enrollment via Azure AD join
+# Automatic Intune enrollment via Microsoft Entra join
 
-If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune.
+If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
 With this process, no advance preparation is needed:
 
 1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
 1. Wait for updates. If any updates are available, they'll be installed at this time
   :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
-1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account
+1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account
   :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
-1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device
+1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device
 
 > [!IMPORTANT]
 > If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
@@ -24,7 +24,7 @@ With this process, no advance preparation is needed:
 ________________________________________________________
 ## Next steps
 
-With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 
 > [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
\ No newline at end of file
+> [Next: Manage devices >](manage-overview.md)
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index e8070b995b..26300b5115 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -1,6 +1,6 @@
 ---
 title: Enrollment in Intune with Windows Autopilot
-description: Learn how to join Azure AD and enroll in Intune using Windows Autopilot.
+description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
 ms.date: 03/08/2023
 ms.topic: tutorial
 ---
@@ -61,8 +61,8 @@ More advanced dynamic membership rules can be created from Microsoft Intune admi
 
 For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
 A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
-1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE
-1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
+1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
+1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
 
 To create an Autopilot deployment profile:
 
@@ -109,8 +109,8 @@ When a Windows device is turned on for the first time, the end-user experience w
 1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
 1. Apply updates: the device will look for and apply required updates
 1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
-1. The user authenticates to Azure AD, using the school account
-1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured
+1. The user authenticates to Microsoft Entra ID, using the school account
+1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured
 
 > [!NOTE]
 > Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
@@ -120,7 +120,7 @@ When a Windows device is turned on for the first time, the end-user experience w
 ________________________________________________________
 ## Next steps
 
-With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
@@ -146,4 +146,4 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 [EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
 [EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
 
-[SURF-1]: /surface/surface-autopilot-registration-support
\ No newline at end of file
+[SURF-1]: /surface/surface-autopilot-registration-support
diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md
index 6537b7ea3a..fa0b05840b 100644
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@@ -7,10 +7,10 @@ ms.topic: overview
 
 # Device enrollment overview
 
-There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune:
+There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune:
 
-- **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
-- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
+- **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
+- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
 - **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
 
 ## Choose the enrollment method
@@ -22,7 +22,7 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
 
 Select one of the following options to learn the next steps about the enrollment method you chose:
 > [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Azure AD join](enroll-aadj.md)
+> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md)
 > - [Bulk enrollment with provisioning packages](enroll-package.md)
 > - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
 
diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md
index e73ef21957..0223d55bd5 100644
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@@ -17,7 +17,7 @@ You can create provisioning packages using either **Set Up School PCs** or **Win
 
 ## Set up School PCs
 
-With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process.
+With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process.
 
 ### Create a provisioning package
 
@@ -44,7 +44,7 @@ For more information, see [Install Windows Configuration Designer][WIN-1], which
 
 ## Enroll devices with the provisioning package
 
-To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune.
+To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune.
 All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
 
 :::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
@@ -52,7 +52,7 @@ All settings defined in the package and in Intune will be applied to the device,
 ________________________________________________________
 ## Next steps
 
-With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
@@ -61,4 +61,4 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
 
 [EDU-1]: /education/windows/use-set-up-school-pcs-app
 
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
\ No newline at end of file
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index b91d83d780..a5a1998f71 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -2,7 +2,7 @@
 title: Introduction to the tutorial deploy and manage Windows devices in a school
 description: Introduction to deployment and management of Windows devices in education environments.
 ms.date: 08/31/2022
-ms.topic: conceptual
+ms.topic: tutorial
 ---
 
 # Tutorial: deploy and manage Windows devices in a school
@@ -46,7 +46,7 @@ From enrollment, through configuration and protection, to resetting, Intune for
 
 :::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
 
-- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
+- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
 - **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
 - **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
 - **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
@@ -55,7 +55,7 @@ From enrollment, through configuration and protection, to resetting, Intune for
 
 In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
 
-- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication
+- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication
 - **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
 - **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
 - **Device reset:** Resetting managed devices with Intune for Education
@@ -63,10 +63,10 @@ In the remainder of this document, we'll discuss the key concepts and benefits o
 ________________________________________________________
 ## Next steps
 
-Let's begin with the creation and configuration of your Azure AD tenant and Intune environment.
+Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
 
 > [!div class="nextstepaction"]
-> [Next: Set up Azure Active Directory >](set-up-azure-ad.md)
+> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md)
 
 <!-- Reference links in article -->
 
@@ -76,4 +76,4 @@ Let's begin with the creation and configuration of your Azure AD tenant and Intu
 [MEM-4]: /mem/autopilot/windows-autopilot
 [MEM-5]: /mem/autopilot/dfci-management
 
-[INT-1]: /intune-education/what-is-intune-for-education
\ No newline at end of file
+[INT-1]: /intune-education/what-is-intune-for-education
diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md
index 488d2513f1..1d0edf123a 100644
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@@ -86,7 +86,7 @@ There are scenarios that require a device to be deleted from your tenant, for ex
 
 1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
 1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
-1. Delete the device from Azure Active Directory using [these steps][MEM-3]
+1. Delete the device from Microsoft Entra ID using [these steps][MEM-3]
 
 ## Autopilot considerations for a motherboard replacement scenario
 
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
index 6aaea36211..cbfcfae2b5 100644
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@@ -1,16 +1,16 @@
 ---
-title: Set up Azure Active Directory
-description: Learn how to create and prepare your Azure AD tenant for an education environment.
+title: Set up Microsoft Entra ID
+description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
 ---
 
-# Set up Azure Active Directory
+# Set up Microsoft Entra ID
 
 The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
 
-Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
+Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
 
 In this section you will:
 > [!div class="checklist"]
@@ -31,7 +31,7 @@ For more information, see [Create your Office 365 tenant account][M365-1]
 
 The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
 
-From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Intune, Intune for Education, and others:
+From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others:
 
 :::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
 
@@ -45,7 +45,7 @@ For more information, see [Overview of the Microsoft 365 admin center][M365-2].
 With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
 
 > [!NOTE]
-> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [<u>Azure Active Directory sync</u>](#azure-active-directory-sync) below.
+> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [<u>Azure Active Directory Sync</u>](#azure-active-directory-sync) below.
 
 ### School Data Sync
 
@@ -61,9 +61,9 @@ For more information, see [Overview of School Data Sync][SDS-1].
 >
 > Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
 
-### Azure Active Directory sync
+### Azure Active Directory Sync
 
-To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including:
+To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
 
 - [Password hash synchronization][AAD-1]
 - [Pass-through authentication][AAD-2]
@@ -79,11 +79,11 @@ There are two options for adding users manually, either individually or in bulk:
 
 1. To add students and teachers as users in Microsoft 365 Education *individually*:
     - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user**
+    - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user**
     For more information, see [Add users and assign licenses at the same time][M365-3].
 1. To add *multiple* users to Microsoft 365 Education:
     - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create**
+    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
 
 For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
 ### Create groups
@@ -91,7 +91,7 @@ For more information, see [Add multiple users in the Microsoft 365 admin center]
 Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**
+1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group**
 1. On the **New group** page, select **Group type** > **Security**
 1. Provide a group name and add members, as needed
 1. Select **Next**
@@ -100,18 +100,18 @@ For more information, see [Create a group in the Microsoft 365 admin center][M36
 
 ### Assign licenses
 
-The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
+The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
 
 To assign a license to a group:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses**
+1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses**
 1. Select the required products that you want to assign licenses for > **Assign**
 1. Add the groups to which the licenses should be assigned
 
    :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
 
-For more information, see [Group-based licensing using Azure AD admin center][AAD-4].
+For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4].
 
 ## Configure school branding
 
@@ -120,26 +120,26 @@ Configuring your school branding enables a more familiar Autopilot experience to
 To configure your school's branding:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding**
+1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding**
 1. You can specify brand settings like background image, logo, username hint and a sign-in page text
-    :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
-1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties**
+    :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
+1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties**
 1. In the **Name** field, enter the school district or organization's name > **Save**
-    :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
+    :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
 
 For more information, see [Add branding to your directory][AAD-5].
 
 ## Enable bulk enrollment
 
-If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant.
+If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant.
 
-To allow provisioning packages to complete the Azure AD Join process:
+To allow provisioning packages to complete the Microsoft Entra join process:
 
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Azure Active Directory** > **Devices** > **Device Settings**
-1. Under **Users may join devices to Azure AD**, select **All**
+1. Select **Microsoft Entra ID** > **Devices** > **Device Settings**
+1. Under **Users may join devices to Microsoft Entra ID**, select **All**
     > [!NOTE]
-    > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
+    > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
 1. Select Save
     :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
 
diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml
index 294e70dc20..a332eb8656 100644
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ b/education/windows/tutorial-school-deployment/toc.yml
@@ -3,7 +3,7 @@ items:
     href: index.md
   - name: 1. Prepare your tenant
     items:
-      - name: Set up Azure Active Directory
+      - name: Set up Microsoft Entra ID
         href: set-up-azure-ad.md
       - name: Set up Microsoft Intune
         href: set-up-microsoft-intune.md
@@ -19,7 +19,7 @@ items:
     items: 
       - name: Overview
         href: enroll-overview.md
-      - name: Enroll devices via Azure AD join
+      - name: Enroll devices via Microsoft Entra join
         href: enroll-aadj.md
       - name: Enroll devices with provisioning packages
         href: enroll-package.md
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 301a6d1da2..f9a55de678 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -11,7 +11,7 @@ appliesto:
 IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM.   
 
 Set up School PCs also:  
-* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.  
+* Joins each student PC to your organization's Office 365 and Microsoft Entra tenant.  
 * Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.  
 * Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
 * Locks down the student PC to prevent activity that isn't beneficial to their education.  
@@ -21,7 +21,7 @@ This article describes how to fill out your school's information in the Set up S
 ## Requirements    
 Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
 
-* Office 365 and Azure Active Directory
+* Office 365 and Microsoft Entra ID
 * [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)  
 * A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
 * Student PCs must either: 
@@ -99,7 +99,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 Type a unique name to help distinguish your school's provisioning packages. The name appears:  
 
 * On the local package folder  
-* In your tenant's Azure AD account in the Azure portal  
+* In your tenant's Microsoft Entra account in the Azure portal  
 
 A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package.  
 
@@ -107,13 +107,13 @@ A package expiration date is also attached to the end of each package. For examp
 
 After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.  
 
-To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Azure AD. If you have Global Admin permissions, you can go to Azure AD in the Azure portal, and rename the package there.  
+To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.  
 
 
 ### Sign in  
 
 1. Select how you want to sign in.  
-    a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
+    a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
     b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).  
 2. In the new window, select the account you want to use throughout setup.  
 
@@ -170,7 +170,7 @@ The following table describes each setting and lists the applicable Windows 10 v
 |Allow local storage (not recommended for shared devices)    |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be shared between different students.|
 |Optimize device for a single student, instead of a shared cart or lab    |X|X|X|X|Optimizes the device for use by a single student, rather than many students.       |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
 |Let guests sign in to these PCs     |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
 |Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|   
 
 After you've made your selections, click **Next**.
@@ -276,8 +276,6 @@ When used in context of the Set up School PCs app, the word *package* refers to
 
      ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)  
 
-4. If you didn't set up the package with Azure AD Join, continue the Windows device setup experience.  If you did configure the package with Azure AD Join, the computer is ready for use and no further configurations are required.  
+4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience.  If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required.  
 
       If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
-
-
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 0ef3e1439d..85683ac20e 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -86,10 +86,13 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Absolute Software Endpoint Agent`        | 7.20.0.1          | `Win32`    | `Absolute Software Corporation`           |
 | `AirSecure`                               | 8.0.0             | `Win32`    | `AIR`                                     |
 | `Alertus Desktop`                         | 5.4.48.0          | `Win32`    | `Alertus technologies`                    |
+| `AristotleK12 Borderless Classroom `      | 3.0.11.           | `Win32`    | `Sergeant Laboratories`                   |
+| `AristotleK12 Analytics `                 | 10.0.6            | `Win32`    | `Sergeant Laboratories`                   |
+| `AristotleK12 Network filter`             | 3.1.10            | `Win32`    | `Sergeant Laboratories`                   |
 | `Brave Browser`                           | 106.0.5249.119    | `Win32`    | `Brave`                                   |
 | `Bulb Digital Portfolio`                  | 0.0.7.0           | `Store`  | `Bulb`                                    |
-| `CA Secure Browser`                       | 14.0.0            | `Win32`    | `Cambium Development`                     |
-| `Cisco Umbrella`                          | 3.0.110.0         | `Win32`    | `Cisco`                                   |
+| `CA Secure Browser`                       | 15.0.0            | `Win32`    | `Cambium Development`                     |
+| `Cisco Umbrella`                          | 3.0.466.0         | `Win32`    | `Cisco`                                   |
 | `CKAuthenticator`                         | 3.6+              | `Win32`    | `ContentKeeper`                           |
 | `Class Policy`                            | 116.0.0           | `Win32`    | `Class Policy`                            |
 | `Classroom.cloud`                         | 1.40.0004         | `Win32`    | `NetSupport`                              |
@@ -97,7 +100,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `CoGat Secure Browser`                    | 11.0.0.19         | `Win32`    | `Riverside Insights`                      |
 | `ColorVeil`                               | 4.0.0.175         | `Win32`    | `East-Tec`                                | 
 | `ContentKeeper Cloud`                     | 9.01.45           | `Win32`    | `ContentKeeper Technologies`              |
-| `DigiExam`                                | 14.0.6            | `Win32`    | `Digiexam`                                |
+| `DigiExam`                                | 14.1.0            | `Win32`    | `Digiexam`                                |
+| `Digital Secure testing browser`          | 15.0.0            | `Win32`    | `Digiexam`                                |
 | `Dragon Professional Individual`          | 15.00.100         | `Win32`    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 13.0.0.0          | `Store`  | `Data recognition Corporation`            |
 | `Duo from Cisco`                          | 3.0.0             | `Win32`    | `Cisco`                                   |
@@ -106,8 +110,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `EasyReader`                              | 10.0.4.498        | `Win32`    | `Dolphin Computer Access`                 |
 | `Easysense 2`                             | 1.32.0001         | `Win32`    | `Data Harvest`                            |
 | `Epson iProjection`                       | 3.31              | `Win32`    | `Epson`                                   |
+| `ESET Endpoint Security`                  | 10.1.2046.0       | `Win32`    | `ESET`                                    |
+| `ESET Remote Administrator Agent`         | 10.0.1126.0       | `Win32`    | `ESET`                                    |
 | `eTests`                                  | 4.0.25            | `Win32`    | `CASAS`                                   |
-| `Exam Writepad`                           | 22.10.14.1834     | `Win32`    | `Sheldnet`                                |
+| `Exam Writepad`                           | 23.2.4.2338       | `Win32`    | `Sheldnet`                                |
 | `FirstVoices Keyboard`                    | 15.0.270          | `Win32`    | `SIL International`                       |
 | `FortiClient`                             | 7.2.0.4034+       | `Win32`    | `Fortinet`                                |
 | `Free NaturalReader`                      | 16.1.2            | `Win32`    | `Natural Soft`                            |
@@ -117,43 +123,50 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `GuideConnect`                            | 1.24              | `Win32`    | `Dolphin Computer Access`                 |
 | `Illuminate Lockdown Browser`             | 2.0.5             | `Win32`    | `Illuminate Education`                    |
 | `Immunet`                                 | 7.5.8.21178       | `Win32`    | `Immunet`                                 |
-| `Impero Backdrop Client`                  | 5.0.87            | `Win32`    | `Impero Software`                         |
+| `Impero Backdrop Client`                  | 5.0.151           | `Win32`    | `Impero Software`                         |
 | `IMT Lazarus`                             | 2.86.0            | `Win32`    | `IMTLazarus`                              |
 | `Inspiration 10`                          | 10.11             | `Win32`    | `TechEdology Ltd`                         |
 | `JAWS for Windows`                        | 2022.2112.24      | `Win32`    | `Freedom Scientific`                      |
 | `Kite Student Portal`                     | 9.0.0.0           | `Win32`    | `Dynamic Learning Maps`                   |
-| `Keyman`                                  | 16.0.138          | `Win32`    | `SIL International`                       |
+| `Keyman`                                  | 16.0.141          | `Win32`    | `SIL International`                       |
 | `Kortext`                                 | 2.3.433.0         | `Store`  | `Kortext`                                 |
 | `Kurzweil 3000 Assistive Learning`        | 20.13.0000        | `Win32`    | `Kurzweil Educational Systems`            |
 | `LanSchool Classic`                       | 9.1.0.46          | `Win32`    | `Stoneware, Inc.`                         |
 | `LanSchool Air`                           | 2.0.13312         | `Win32`    | `Stoneware, Inc.`                         |
+| `Lexibar`                                 | 3.07.02           | `Win32`    | `Lexibar`                                 |
+| `LGfL HomeProtect`                        | 8.3.44.11         | `Win32`    | `LGFL`                                    |
 | `Lightspeed Smart Agent`                  | 1.9.1             | `Win32`    | `Lightspeed Systems`                      |
 | `Lightspeed Filter Agent`                 | 2.3.4             | `Win32`    | `Lightspeed Systems`                      |
-| `MetaMoJi ClassRoom`                      | 3.12.4.0          | `Store`  | `MetaMoJi Corporation`                    |
-| `Microsoft Connect`                       | 10.0.22000.1      | `Store`  | `Microsoft`                               |
-| `Mozilla Firefox`                         | 105.0.0           | `Win32`    | `Mozilla`                                 |
-| `Mobile Plans`                            | 5.1911.3171.0     | `Store`  | `Microsoft Corporation`                   |
+| `Lightspeed Digital`                      | 3.12.3.11         | `Win32`    | `Lightspeed Systems`                      |
+| `MetaMoJi ClassRoom`                      | 3.12.4.0          | `Store`    | `MetaMoJi Corporation`                    |
+| `Microsoft Connect`                       | 10.0.22000.1      | `Store`    | `Microsoft`                               |
+| `Mozilla Firefox`                         | 116.0.2           | `Win32`    | `Mozilla`                                 |
+| `Mobile Plans`                            | 5.1911.3171.0     | `Store`    | `Microsoft Corporation`                   |
+| `Musescore`                               | 4.1.1.232071203   | `Win32`    | `Musescore`                               |
 | `NAPLAN`                                  | 5.2.2             | `Win32`    | `NAP`                                     |
 | `Netref Student`                          | 23.1.0            | `Win32`    | `NetRef`                                  |
-| `NetSupport Manager`                      | 12.01.0014        | `Win32`    | `NetSupport`                              |
-| `NetSupport Notify`                       | 5.10.1.215        | `Win32`    | `NetSupport`                              |
+| `NetSupport DNA`                          | 4.80.0000         | `Win32`    | `NetSupport`                              |
+| `NetSupport Manager`                      | 14.00.0012        | `Win32`    | `NetSupport`                              |
+| `NetSupport Notify`                       | 5.10.1.223        | `Win32`    | `NetSupport`                              |
 | `NetSupport School`                       | 14.00.0012        | `Win32`    | `NetSupport`                              |
 | `NextUp Talker`                           | 1.0.49            | `Win32`    | `NextUp Technologies`                     |
-| `NonVisual Desktop Access`                | 2021.3.1          | `Win32`    | `NV Access`                               |
+| `Netsweeper Workstation Agent`            | 4.50.54.54        | `Win32`    | `Netsweeper`                              |
+| `NonVisual Desktop Access`                | 2023.1.           | `Win32`    | `NV Access`                               |
 | `NWEA Secure Testing Browser`             | 5.4.387.0         | `Win32`    | `NWEA`                                    |
 | `PC Talker Neo`                           | 2209              | `Win32`    | `Kochi System Development`                |
 | `PC Talker Neo Plus`                      | 2209              | `Win32`    | `Kochi System Development`                |
 | `PaperCut`                                | 22.0.6            | `Win32`    | `PaperCut Software International Pty Ltd` |
-| `Pearson TestNav`                         | 1.11.3            | `Store`  | `Pearson`                                 |
-| `Project Monarch Outlook`                 | 1.2022.2250001    | `Store`  | `Microsoft`                               |
+| `Pearson TestNav`                         | 1.11.3            | `Store`    | `Pearson`                                 |
+| `Project Monarch Outlook`                 | 1.2023.831.400    | `Store`    | `Microsoft`                               |
 | `Questar Secure Browser`                  | 5.0.1.456         | `Win32`    | `Questar, Inc`                            |
-| `ReadAndWriteForWindows`                  | 12.0.74           | `Win32`    | `Texthelp Ltd.`                           |
-| `Remote Desktop client (MSRDC)`           | 1.2.4066.0        | `Win32`    | `Microsoft`                               |
+| `ReadAndWriteForWindows`                  | 12.0.78           | `Win32`    | `Texthelp Ltd.`                           |
+| `Remote Desktop client (MSRDC)`           | 1.2.4487.0        | `Win32`    | `Microsoft`                               |
 | `Remote Help`                             | 4.0.1.13          | `Win32`    | `Microsoft`                               |
 | `Respondus Lockdown Browser`              | 2.0.9.03          | `Win32`    | `Respondus`                               |
 | `Safe Exam Browser`                       | 3.5.0.544         | `Win32`    | `Safe Exam Browser`                       |
-|`SchoolYear`                               | 3.4.21             | `Win32`    |`SchoolYear`                              |
+|`SchoolYear`                               | 3.5.4             | `Win32`    |`SchoolYear`                              |
 |`School Manager`                           | 3.6.8.1109        | `Win32`    |`School Manager`                           |
+|`Scratch`                                  | 3.0               | `Win32`    |`MIT`                                      |
 | `Senso.Cloud`                             | 2021.11.15.0      | `Win32`    | `Senso.Cloud`                             |
 | `Skoolnext`                               | 2.19              | `Win32`    | `Skool.net`                               |
 | `Smoothwall Monitor`                      | 2.9.2             | `Win32`    | `Smoothwall Ltd`                          |
@@ -161,11 +174,14 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `SuperNova Magnifier & Speech`            | 21.03             | `Win32`    | `Dolphin Computer Access`                 |
 |`TX Secure Browser`                        | 15.0.0            | `Win32`    | `Cambium Development`                     |
 | `VitalSourceBookShelf`                    | 10.2.26.0         | `Win32`    | `VitalSource Technologies Inc`            |
+|`WA Secure Browser`                        | 16.0.0            | `Win32`    | `Cambium Development`                     |
 | `Winbird`                                 | 19                | `Win32`    | `Winbird Co., Ltd.`                       |
 | `WordQ`                                   | 5.4.29            | `Win32`    | `WordQ`                                   |
+| `Windows SEB`                             | 3.4.0             | `Win32`    | `Illinois Stateboard of Education`        |
+| `Windows Notepad`                         | 12.0.78           | `Store`    | `Microsoft Corporation`                   |
 | `Zoom`                                    | 5.12.8 (10232)    | `Win32`    | `Zoom`                                    |
-| `ZoomText Fusion`                         | 2023.2303.77.400  | `Win32`    | `Freedom Scientific`                      |
-| `ZoomText Magnifier/Reader`               | 2023.2303.33.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Fusion`                         | 2023.2307.7.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Magnifier/Reader`               | 2023.2307.29.400  | `Win32`    | `Freedom Scientific`                      |
 
 ## Add your own applications
 
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 633ac67aa7..bea07c4d0b 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -1,8 +1,8 @@
 ---
 title: Windows 11 SE settings list
 description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
-ms.topic: article
-ms.date: 03/09/2023
+ms.topic: reference
+ms.date: 08/18/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:
@@ -50,7 +50,7 @@ The following settings can't be changed.
 | Visible Folders in File Explorer | By default, the Desktop, Downloads, Documents, and Pictures folders are visible to users in File Explorer. Users can make other folders, like **This PC**, visible in **View** > **Options**. |
 | Launch Windows Maximized  | All Windows are opened in the maximized view.  |
 | Windows Snapping  | Windows snapping is limited to two Windows.  |
-| Allowed Account Types  | Microsoft accounts and Azure AD accounts are allowed. |
+| Allowed Account Types  | Microsoft accounts and Microsoft Entra accounts are allowed. |
 | Virtual Desktops  | Virtual Desktops are blocked. |
 | Microsoft Store  | The Microsoft Store is blocked. |
 | Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Intune can run. |
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 0da408d581..7c6ecca23b 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -1,7 +1,7 @@
 ---
 title: Windows 10 editions for education customers
 description: Learn about the two Windows 10 editions that are designed for the needs of education institutions.
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 07/25/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md
index 8f3cdce242..d30e2cc685 100644
--- a/includes/configure/gpo-settings-1.md
+++ b/includes/configure/gpo-settings-1.md
@@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
 
-To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under
\ No newline at end of file
+To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings:
\ No newline at end of file
diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md
index 9aae47a0fa..d0b87a5b78 100644
--- a/includes/configure/intune-settings-catalog-1.md
+++ b/includes/configure/intune-settings-catalog-1.md
@@ -6,4 +6,4 @@ ms.topic: include
 ms.prod: windows-client
 ---
 
-To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings:
\ No newline at end of file
+To configure devices using Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:
\ No newline at end of file
diff --git a/includes/configure/provisioning-package-1.md b/includes/configure/provisioning-package-1.md
new file mode 100644
index 0000000000..951ca428e3
--- /dev/null
+++ b/includes/configure/provisioning-package-1.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+Use the following settings to [create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package):
diff --git a/includes/configure/provisioning-package-2.md b/includes/configure/provisioning-package-2.md
new file mode 100644
index 0000000000..b600e58e47
--- /dev/null
+++ b/includes/configure/provisioning-package-2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/12/2023
+ms.topic: include
+ms.prod: windows-client
+---
+
+[Apply the provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to the devices that you want to configure.
diff --git a/includes/intune/intune-custom-settings-1.md b/includes/intune/intune-custom-settings-1.md
deleted file mode 100644
index d911751e75..0000000000
--- a/includes/intune/intune-custom-settings-1.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-ms.date: 02/22/2022
-ms.topic: include
----
-
-To configure devices with Microsoft Intune, use a custom policy:
-
-1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description > Next**
-6. Add the following settings:
\ No newline at end of file
diff --git a/includes/intune/intune-custom-settings-2.md b/includes/intune/intune-custom-settings-2.md
deleted file mode 100644
index 1a601acaa7..0000000000
--- a/includes/intune/intune-custom-settings-2.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 11/08/2022
-ms.topic: include
----
-
-7. Select **Next**
-8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-9. Under **Applicability Rules**, select **Next**
-10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/includes/intune/intune-custom-settings-info.md b/includes/intune/intune-custom-settings-info.md
deleted file mode 100644
index 8ff9da4294..0000000000
--- a/includes/intune/intune-custom-settings-info.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-ms.date: 11/08/2022
-ms.topic: include
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index e803e8009d..e68a87a3a6 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/09/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,79 +9,83 @@ ms.topic: include
 |:---|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
-|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
+|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
-|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
-|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
-|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
-|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
-|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|
-|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
+|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|❌|Yes|
+|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|
 |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes|
-|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
-|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
-|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|
+|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|
 |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|
-|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
+|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
 |**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|
-|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
 |**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
+|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
+|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
-|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
 |**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
 |**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
-|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
+|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
 |**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
 |**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|
-|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
+|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
 |**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
-|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
+|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
-|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
-|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
-|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
-|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
+|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
 |**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 28ea87e8e0..780ba51ff0 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/09/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,79 +9,83 @@ ms.topic: include
 |:---|:---:|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
-|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
+|**[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)**|Yes|Yes|Yes|Yes|Yes|
+|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
-|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
-|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
-|**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
+|**[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|
-|**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
+|**[Credential Guard](/windows/security/identity-protection/credential-guard/)**|❌|Yes|Yes|Yes|Yes|
+|**[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes|
 |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes|
-|**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
-|**[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
-|**[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)**|Yes|Yes|Yes|Yes|Yes|
+|**[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)**|Yes|Yes|Yes|Yes|Yes|
+|**[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes|
+|**[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)**|Yes|Yes|Yes|Yes|Yes|
+|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
+|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌|
+|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
 |**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
-|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
+|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
+|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
+|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
-|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
-|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
 |**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
-|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
 |**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes|
-|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
+|**[Web sign-in](/windows/security/identity-protection/web-sign-in)**|Yes|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
-|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
-|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/access-control-aclsacl.md b/includes/licensing/access-control-aclsacl.md
index 8adad0309e..7914dd8fd5 100644
--- a/includes/licensing/access-control-aclsacl.md
+++ b/includes/licensing/access-control-aclsacl.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md
index 1e7a0d8661..3ca26ae6ea 100644
--- a/includes/licensing/account-lockout-policy.md
+++ b/includes/licensing/account-lockout-policy.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
similarity index 59%
rename from includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
rename to includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
index 5ae19412dd..c8c1eacf14 100644
--- a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
+++ b/includes/licensing/active-directory-domain-join-microsoft-entra-join-and-microsoft-entra-hybrid-join-with-single-sign-on-sso.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO):
+The following table lists the Windows editions that support Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO):
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO) license entitlements are granted by the following licenses:
+Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO) license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md
index 08d98ed800..c02b90d456 100644
--- a/includes/licensing/always-on-vpn-device-tunnel.md
+++ b/includes/licensing/always-on-vpn-device-tunnel.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/app-containers.md b/includes/licensing/app-containers.md
index 0d698a7bfb..8777c075d8 100644
--- a/includes/licensing/app-containers.md
+++ b/includes/licensing/app-containers.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/applocker.md b/includes/licensing/applocker.md
index 54cc165d41..26e08b6b83 100644
--- a/includes/licensing/applocker.md
+++ b/includes/licensing/applocker.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md
index 066c7badc4..f14704f482 100644
--- a/includes/licensing/assigned-access-kiosk-mode.md
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md
index 7d481ce4bf..3f2b9094aa 100644
--- a/includes/licensing/attack-surface-reduction-asr.md
+++ b/includes/licensing/attack-surface-reduction-asr.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/azure-code-signing.md b/includes/licensing/azure-code-signing.md
index dc29a35e27..ace7222901 100644
--- a/includes/licensing/azure-code-signing.md
+++ b/includes/licensing/azure-code-signing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bitlocker-enablement.md b/includes/licensing/bitlocker-enablement.md
index 56f85845aa..42fdd23a24 100644
--- a/includes/licensing/bitlocker-enablement.md
+++ b/includes/licensing/bitlocker-enablement.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md
index a0c68f72ee..c9c3827684 100644
--- a/includes/licensing/bitlocker-management.md
+++ b/includes/licensing/bitlocker-management.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md
index 171fe3f9b2..62054635e0 100644
--- a/includes/licensing/bluetooth-pairing-and-connection-protection.md
+++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md
index 528a497f37..1eef471e1f 100644
--- a/includes/licensing/common-criteria-certifications.md
+++ b/includes/licensing/common-criteria-certifications.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md
index 25d04b1c49..653c17f98a 100644
--- a/includes/licensing/controlled-folder-access.md
+++ b/includes/licensing/controlled-folder-access.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-credential-guard.md b/includes/licensing/credential-guard.md
similarity index 71%
rename from includes/licensing/windows-defender-credential-guard.md
rename to includes/licensing/credential-guard.md
index adf6d74a0e..43c956dd67 100644
--- a/includes/licensing/windows-defender-credential-guard.md
+++ b/includes/licensing/credential-guard.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Windows Defender Credential Guard:
+The following table lists the Windows editions that support Credential Guard:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 
-Windows Defender Credential Guard license entitlements are granted by the following licenses:
+Credential Guard license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md
index 7ed2add45f..8262e8af6c 100644
--- a/includes/licensing/device-health-attestation-service.md
+++ b/includes/licensing/device-health-attestation-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md
index 057c5a2cea..7ff5d0349a 100644
--- a/includes/licensing/direct-access.md
+++ b/includes/licensing/direct-access.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/fast-identity-online-fido2-security-key.md b/includes/licensing/domain-name-system-dns-security.md
similarity index 70%
rename from includes/licensing/fast-identity-online-fido2-security-key.md
rename to includes/licensing/domain-name-system-dns-security.md
index 9985309552..6c201664a7 100644
--- a/includes/licensing/fast-identity-online-fido2-security-key.md
+++ b/includes/licensing/domain-name-system-dns-security.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Fast Identity Online (FIDO2) security key:
+The following table lists the Windows editions that support Domain Name System (DNS) security:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Fast Identity Online (FIDO2) security key license entitlements are granted by the following licenses:
+Domain Name System (DNS) security license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md
index 6895c5b618..0b6eba0e94 100644
--- a/includes/licensing/email-encryption-smime.md
+++ b/includes/licensing/email-encryption-smime.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md
index 16225d6ee6..250860e3d7 100644
--- a/includes/licensing/encrypted-hard-drive.md
+++ b/includes/licensing/encrypted-hard-drive.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
index ae4cd8568a..f3e9d9e7eb 100644
--- a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
+++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md
index 7a46f2cc0a..e3cc381820 100644
--- a/includes/licensing/exploit-protection.md
+++ b/includes/licensing/exploit-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
index a06133b313..255e023c53 100644
--- a/includes/licensing/federal-information-processing-standard-fips-140-validation.md
+++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
index 0d01c1968f..701d2a3bde 100644
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -17,6 +17,6 @@ Federated sign-in license entitlements are granted by the following licenses:
 
 |Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
-|Yes|No|No|Yes|Yes|
+|Yes|Yes|Yes|No|No|
 
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/access-control-aclsscals.md b/includes/licensing/fido2-security-key.md
similarity index 72%
rename from includes/licensing/access-control-aclsscals.md
rename to includes/licensing/fido2-security-key.md
index 9d8830c6cd..a75a664ba2 100644
--- a/includes/licensing/access-control-aclsscals.md
+++ b/includes/licensing/fido2-security-key.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Access Control (ACLs/SCALS):
+The following table lists the Windows editions that support FIDO2 security key:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Access Control (ACLs/SCALS) license entitlements are granted by the following licenses:
+FIDO2 security key license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md
index 8a2fe75e78..015c2029c7 100644
--- a/includes/licensing/hardware-enforced-stack-protection.md
+++ b/includes/licensing/hardware-enforced-stack-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
index a6800d9403..6ec3e17ec0 100644
--- a/includes/licensing/hypervisor-protected-code-integrity-hvci.md
+++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md
index 52b159827e..b6a67f8b82 100644
--- a/includes/licensing/kernel-direct-memory-access-dma-protection.md
+++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md
index fafa59de66..9fb5ffeb78 100644
--- a/includes/licensing/local-security-authority-lsa-protection.md
+++ b/includes/licensing/local-security-authority-lsa-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md
index 407e64eefe..6d62dc4f3e 100644
--- a/includes/licensing/measured-boot.md
+++ b/includes/licensing/measured-boot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md
index 357e6daa39..bfa1a523e4 100644
--- a/includes/licensing/microsoft-defender-antivirus.md
+++ b/includes/licensing/microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
index bd87e59e22..8b1f61512a 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
index 8e546d7248..92bde833e7 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
index 5d3024ffc9..40bd08c713 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
index 6284c03484..a808fad367 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
index de70847881..1451e70955 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md
index 56edc6e24e..3c405e4747 100644
--- a/includes/licensing/microsoft-defender-for-endpoint.md
+++ b/includes/licensing/microsoft-defender-for-endpoint.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md
index d5b7aae9bd..4f8c6afb14 100644
--- a/includes/licensing/microsoft-defender-smartscreen.md
+++ b/includes/licensing/microsoft-defender-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-pluton.md b/includes/licensing/microsoft-pluton.md
index 31058f139d..6d127fec25 100644
--- a/includes/licensing/microsoft-pluton.md
+++ b/includes/licensing/microsoft-pluton.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-security-development-lifecycle-sdl.md b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
index 7b9411b126..c772ef45b4 100644
--- a/includes/licensing/microsoft-security-development-lifecycle-sdl.md
+++ b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
index 449ac22b52..58866a171a 100644
--- a/includes/licensing/microsoft-vulnerable-driver-blocklist.md
+++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
index c3cd9dbaf1..fe6aa10f30 100644
--- a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
+++ b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/modern-device-management-through-mdm.md b/includes/licensing/modern-device-management-through-mdm.md
index f2a71b791d..07bac3574c 100644
--- a/includes/licensing/modern-device-management-through-mdm.md
+++ b/includes/licensing/modern-device-management-through-mdm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/onefuzz-service.md b/includes/licensing/onefuzz-service.md
index 25e6a5ef43..d58b1b1f23 100644
--- a/includes/licensing/onefuzz-service.md
+++ b/includes/licensing/onefuzz-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md
index 4629b28a5f..2954ec4c83 100644
--- a/includes/licensing/opportunistic-wireless-encryption-owe.md
+++ b/includes/licensing/opportunistic-wireless-encryption-owe.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/passkeys.md b/includes/licensing/passkeys.md
new file mode 100644
index 0000000000..dae8584454
--- /dev/null
+++ b/includes/licensing/passkeys.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support passkeys:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Passkeys license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md
index ed0e014d0e..ff1909674e 100644
--- a/includes/licensing/personal-data-encryption-pde.md
+++ b/includes/licensing/personal-data-encryption-pde.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md
index 080229688a..656e7d6bde 100644
--- a/includes/licensing/privacy-resource-usage.md
+++ b/includes/licensing/privacy-resource-usage.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md
index fd57043298..09a88191f1 100644
--- a/includes/licensing/privacy-transparency-and-controls.md
+++ b/includes/licensing/privacy-transparency-and-controls.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/remote-credential-guard.md b/includes/licensing/remote-credential-guard.md
new file mode 100644
index 0000000000..a9d5e47bfa
--- /dev/null
+++ b/includes/licensing/remote-credential-guard.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Remote Credential Guard:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Remote Credential Guard license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md
index 6557c69147..416338f11f 100644
--- a/includes/licensing/remote-wipe.md
+++ b/includes/licensing/remote-wipe.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md
index b29dea38c5..1a28ce37fb 100644
--- a/includes/licensing/secure-boot-and-trusted-boot.md
+++ b/includes/licensing/secure-boot-and-trusted-boot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md
index 8acee3baef..065fb9930f 100644
--- a/includes/licensing/secured-core-configuration-lock.md
+++ b/includes/licensing/secured-core-configuration-lock.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secured-core-pc-firmware-protection.md b/includes/licensing/secured-core-pc-firmware-protection.md
index 21a3a0651a..17d33cd9dd 100644
--- a/includes/licensing/secured-core-pc-firmware-protection.md
+++ b/includes/licensing/secured-core-pc-firmware-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md
index bda8037388..697e3c1347 100644
--- a/includes/licensing/security-baselines.md
+++ b/includes/licensing/security-baselines.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md
index 683fa8db2e..e40088e7da 100644
--- a/includes/licensing/server-message-block-direct-smb-direct.md
+++ b/includes/licensing/server-message-block-direct-smb-direct.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md
index cd9276809b..c2417234ba 100644
--- a/includes/licensing/server-message-block-smb-file-service.md
+++ b/includes/licensing/server-message-block-smb-file-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md
index fbc05610fb..8a281fcbd6 100644
--- a/includes/licensing/smart-app-control.md
+++ b/includes/licensing/smart-app-control.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md
index eb5061e582..f89dfe5b27 100644
--- a/includes/licensing/smart-cards-for-windows-service.md
+++ b/includes/licensing/smart-cards-for-windows-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/software-bill-of-materials-sbom.md b/includes/licensing/software-bill-of-materials-sbom.md
index 4d6f832194..72c7191537 100644
--- a/includes/licensing/software-bill-of-materials-sbom.md
+++ b/includes/licensing/software-bill-of-materials-sbom.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md
index fe7d7c2314..5fc00e80ef 100644
--- a/includes/licensing/tamper-protection-settings-for-mde.md
+++ b/includes/licensing/tamper-protection-settings-for-mde.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md
index 5642121480..e3893e47b5 100644
--- a/includes/licensing/transport-layer-security-tls.md
+++ b/includes/licensing/transport-layer-security-tls.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Transport layer security (TLS):
+The following table lists the Windows editions that support Transport Layer Security (TLS):
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Transport layer security (TLS) license entitlements are granted by the following licenses:
+Transport Layer Security (TLS) license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/trusted-platform-module-tpm.md b/includes/licensing/trusted-platform-module-tpm.md
index 6f757d623a..1c441f151a 100644
--- a/includes/licensing/trusted-platform-module-tpm.md
+++ b/includes/licensing/trusted-platform-module-tpm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md
index 87828b2774..100a608c5e 100644
--- a/includes/licensing/universal-print.md
+++ b/includes/licensing/universal-print.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md
index c34f82f836..5aad4958ad 100644
--- a/includes/licensing/user-account-control-uac.md
+++ b/includes/licensing/user-account-control-uac.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md
index eb309a2554..812d47fa6b 100644
--- a/includes/licensing/virtual-private-network-vpn.md
+++ b/includes/licensing/virtual-private-network-vpn.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md
index 70827aebce..912d2c961d 100644
--- a/includes/licensing/virtualization-based-security-vbs.md
+++ b/includes/licensing/virtualization-based-security-vbs.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/web-sign-in.md b/includes/licensing/web-sign-in.md
new file mode 100644
index 0000000000..73f9fd09e5
--- /dev/null
+++ b/includes/licensing/web-sign-in.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 09/18/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Web sign-in:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Web sign-in license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md
index 3d4a3e17c3..9e2cf75579 100644
--- a/includes/licensing/wifi-security.md
+++ b/includes/licensing/wifi-security.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-application-software-development-kit-sdk.md b/includes/licensing/windows-application-software-development-kit-sdk.md
index d97a10562a..65ba17659f 100644
--- a/includes/licensing/windows-application-software-development-kit-sdk.md
+++ b/includes/licensing/windows-application-software-development-kit-sdk.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md
index 4c866c7106..9d5dab8d27 100644
--- a/includes/licensing/windows-autopatch.md
+++ b/includes/licensing/windows-autopatch.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md
index 1eee13f367..ae6d646c68 100644
--- a/includes/licensing/windows-autopilot.md
+++ b/includes/licensing/windows-autopilot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md
index 86ab8d5f14..52264205ff 100644
--- a/includes/licensing/windows-defender-application-control-wdac.md
+++ b/includes/licensing/windows-defender-application-control-wdac.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md
index 7e8c06b51d..cecce5edd5 100644
--- a/includes/licensing/windows-defender-system-guard.md
+++ b/includes/licensing/windows-defender-system-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md
index 8e0bc9faf0..cfdbbca9d9 100644
--- a/includes/licensing/windows-firewall.md
+++ b/includes/licensing/windows-firewall.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
index 56e03e6bd4..780134b0ae 100644
--- a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
+++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md
index 95ffbf43a9..229a6ae597 100644
--- a/includes/licensing/windows-hello-for-business.md
+++ b/includes/licensing/windows-hello-for-business.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md
index eaddd61d61..d0fa59421e 100644
--- a/includes/licensing/windows-laps.md
+++ b/includes/licensing/windows-laps.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-remote-credential-guard.md b/includes/licensing/windows-passwordless-experience.md
similarity index 78%
rename from includes/licensing/windows-defender-remote-credential-guard.md
rename to includes/licensing/windows-passwordless-experience.md
index 8d862bdc9d..e24ee8935e 100644
--- a/includes/licensing/windows-defender-remote-credential-guard.md
+++ b/includes/licensing/windows-passwordless-experience.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Windows Defender Remote Credential Guard:
+The following table lists the Windows editions that support Windows passwordless experience:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Windows Defender Remote Credential Guard license entitlements are granted by the following licenses:
+Windows passwordless experience license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md
index 977c729c0c..aba249fcb0 100644
--- a/includes/licensing/windows-presence-sensing.md
+++ b/includes/licensing/windows-presence-sensing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md
index a486fd64de..65198775ad 100644
--- a/includes/licensing/windows-sandbox.md
+++ b/includes/licensing/windows-sandbox.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md
index a1742270bf..07f612b6ae 100644
--- a/includes/licensing/windows-security-policy-settings-and-auditing.md
+++ b/includes/licensing/windows-security-policy-settings-and-auditing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
index 1ac1b42374..950fe7b629 100644
--- a/store-for-business/app-inventory-management-microsoft-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -106,7 +106,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 ### Get and remove private store apps
 **To claim an app from the private store**
 
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Microsoft Store app.
+1. Sign in to your computer with your Microsoft Entra credentials, and start the Microsoft Store app.
 2. Click the private store tab.
 3. Click the app you want to install, and then click **Install**.
 
@@ -203,4 +203,4 @@ You can download a preview PowerShell script that uses REST APIs. The script is
 - Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
 
 > [!NOTE]
-> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.
\ No newline at end of file
+> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.
diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
index 92bced3780..4438a5efb2 100644
--- a/store-for-business/apps-in-microsoft-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -62,7 +62,7 @@ If an employee makes an in-app purchase, they'll make it with their personal Mic
 Microsoft Store supports two options to license apps: online and offline.
 
 ### Online licensing
-Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
+Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Microsoft Entra identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
 
 Distribution options for online-licensed apps include the ability to:
 
@@ -78,4 +78,4 @@ You have the following distribution options for offline-licensed apps:
 - Include the app in a provisioning package, and then use it as part of imaging a device.
 - Distribute the app through a management tool.
 
-For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 8f2ddc7b24..74d05180b7 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -27,16 +27,16 @@ ms.date: 05/24/2023
 
 For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
 
-Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
+Your management tool needs to be installed and configured with Microsoft Entra ID, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
 
-**To configure a management tool in Azure AD**
+**To configure a management tool in Microsoft Entra ID**
 
 1. Sign in to the Azure Portal as an Administrator.
-2. Click **Azure Active Directory**, and then choose your directory.
+2. Click **Microsoft Entra ID**, and then choose your directory.
 4. Click **Mobility (MDM and MAM)**.  
 3. Click **+Add Applications**, find the application, and add it to your directory.
 
-After your management tool is added to your Azure AD directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
+After your management tool is added to your Microsoft Entra directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
 
 **To configure a management tool in Microsoft Store for Business**
 
@@ -49,4 +49,4 @@ Your MDM tool is ready to use with Microsoft Store. To learn how to configure sy
 - [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
 - [Manage apps from Microsoft Store for Business with Microsoft Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
 
-For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
+For third-party MDM providers or management servers, check your product documentation.
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index e391ccb12a..a7c0db425c 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -61,7 +61,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 
 **To claim an app from the private store**
 
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start Microsoft Store app.
+1. Sign in to your computer with your Microsoft Entra credentials, and start Microsoft Store app.
 2. Click the **private store** tab.
 3. Click the app you want to install, and then click **Install**.
 
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 77faaf7d85..0d0f36b0db 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -27,9 +27,9 @@ ms.date: 05/24/2023
 
 You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
 
-Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.
+Your MDM tool needs to be installed and configured in Microsoft Entra ID, in the same Microsoft Entra directory used with Microsoft Store.
 
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
+In Microsoft Entra management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Microsoft Entra ID, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
 
 Microsoft Store services provide:
 
@@ -40,9 +40,9 @@ Microsoft Store services provide:
 
 MDM tool requirements:
 
--   Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
--   Must be configured in Azure AD, and Microsoft Store.
--   Azure AD identity is required to authorize Microsoft Store services.
+-   Must be a Microsoft Entra application to authenticate against the Store for Business services.
+-   Must be configured in Microsoft Entra ID, and Microsoft Store.
+-   Microsoft Entra identity is required to authorize Microsoft Store services.
 
 ## Distribute offline-licensed apps
 
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index d4049b9caa..eefa9c7b90 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -35,7 +35,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
 
 - **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
 
-- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
+- **Your employees do not have Microsoft Entra accounts** - Microsoft Entra accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
 
 ## Distribution options for offline-licensed apps
 
@@ -79,4 +79,4 @@ There are several items to download or create for offline-licensed apps. The app
     - **To download an app framework**: Find the framework you need to support your app package, and click **Download**. This is optional.
 
 > [!NOTE]
-> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
\ No newline at end of file
+> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index f0006e84b3..ba3d25fe32 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -67,7 +67,10 @@
         "v-dihans",        
         "garycentric",
         "v-stsavell",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "fileMetadata": {},
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 2d6b07538f..b018c5e595 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -30,7 +30,7 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
 >
 > - As of April 14, 2021, all apps that charge a base price above free are no longer available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases are possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you can't buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use from the private store. Apps with a base price of "free" are still available. This change doesn't impact apps in the Microsoft Store on Windows 10.
 >
-> - Also as of April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education.
+> - Also as of April 14, 2021, you must sign in with your Microsoft Entra account before you browse Microsoft Store for Business and Education.
 
 ## In this section
 
@@ -40,5 +40,5 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
 | [Find and acquire apps](find-and-acquire-apps-overview.md) | Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. |
 | [Manage apps](manage-apps-microsoft-store-for-business-overview.md) | Manage settings and access to apps in Microsoft Store for Business and Education. |
 | [Device Guard signing portal](device-guard-signing-portal.md) | Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. |
-| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant |
-| [Troubleshoot Microsoft Store for Business and Education](troubleshoot-microsoft-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |
\ No newline at end of file
+| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant |
+| [Troubleshoot Microsoft Store for Business and Education](troubleshoot-microsoft-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |
diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
index ad7a735cf4..7ae3789d4b 100644
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -1,6 +1,6 @@
 ---
 title: Manage settings for Microsoft Store for Business and Microsoft Store for Education (Windows 10)
-description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+description: You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant.
 ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
 ms.reviewer: 
 ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ ms.date: 05/24/2023
 > - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
 > - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed).
 
-You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+You can add users and groups, as well as update some of the settings associated with the Microsoft Entra tenant.
 
 ## In this section
 
@@ -34,5 +34,3 @@ You can add users and groups, as well as update some of the settings associated
 | [Update Microsoft Store for Business and Education account settings](update-microsoft-store-for-business-account-settings.md) | **Billing - Account profile**  in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
 | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. You can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md) and to groups.|
 | [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information on invoices for products and services bought under the Microsoft Customer Agreement.|
-
-
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index ab89a344ff..792c6de5e0 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -27,22 +27,26 @@ ms.date: 05/24/2023
 
 Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
 
-## Why Azure AD accounts?
+<a name='why-azure-ad-accounts'></a>
+
+## Why Microsoft Entra accounts?
 For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and Microsoft Store for Business.
 
-Azure AD is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Azure AD identity and access management includes:
+Microsoft Entra ID is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Microsoft Entra identity and access management includes:
 
 - Single sign-on to any cloud and on-premises web app.
 - Works with multiple platforms and devices.
 - Integrate with on-premises Active Directory.
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
-## Add user accounts to your Azure AD directory
-If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
+<a name='add-user-accounts-to-your-azure-ad-directory'></a>
 
-You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
+## Add user accounts to your Microsoft Entra directory
+If you created a new Microsoft Entra directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Microsoft Entra directory. However, adding user accounts to your Microsoft Entra directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
+
+You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Microsoft Entra directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
 
 For more information, see:
 - [Add user accounts using Office 365 admin dashboard](/microsoft-365/admin/add-users)
-- [Add user accounts using Azure management portal](/azure/active-directory/fundamentals/add-users-azure-active-directory)
\ No newline at end of file
+- [Add user accounts using Azure management portal](/azure/active-directory/fundamentals/add-users-azure-active-directory)
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index 5c9f5e618a..2cd07840b0 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -9,6 +9,7 @@ author: cmcatee-MSFT
 manager: scotv
 ms.topic: conceptual
 ms.localizationpriority: medium
+ms.custom: has-azure-ad-ps-ref
 ms.date: 05/24/2023
 ms.reviewer: 
 ---
@@ -35,7 +36,7 @@ You can use the PowerShell module to:
 - Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
 
 >[!NOTE]
->Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
 
 ## Requirements
 To use the Microsoft Store for Business and Education PowerShell module, you'll need:
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 51d26aea04..bb6d16110b 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -36,7 +36,7 @@ Designed for organizations, Microsoft Store for Business and Microsoft Store for
 ## Features
 Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:
 
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+- **Scales to fit the size of your business** - For smaller businesses, with Microsoft Entra accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
 - **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
 - **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
     - **Microsoft Store for Business** – Apps acquired from Microsoft Store for Business
@@ -63,21 +63,21 @@ You'll need this software to work with Store for Business and Education.
 - Admins working with Store for Business and Education need a browser compatible with Microsoft Store running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
 - Employees using apps from Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
 
-Microsoft Azure Active Directory (AD) accounts for your employees:
+Microsoft Entra accounts for your employees:
 
-- Admins need Azure AD accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Azure AD accounts as part of signing up for Store for Business and Education.
-- Employees need Azure AD account when they access Store for Business content from Windows devices.
-- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
-- For offline-licensed apps, Azure AD accounts are not required for employees.
+- Admins need Microsoft Entra accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Microsoft Entra accounts as part of signing up for Store for Business and Education.
+- Employees need Microsoft Entra account when they access Store for Business content from Windows devices.
+- If you use a management tool to distribute and manage online-licensed apps, all employees will need a Microsoft Entra account
+- For offline-licensed apps, Microsoft Entra accounts are not required for employees.
 - Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don't have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education. 
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
 ### Optional
 
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
 
-- Need to integrate with Windows 10 management framework and Azure AD.
+- Need to integrate with Windows 10 management framework and Microsoft Entra ID.
 - Need to sync with the Store for Business inventory to distribute apps.
 
 ## How does the Store for Business and Education work?
@@ -88,7 +88,7 @@ The first step for getting your organization started with Store for Business and
 
 ## Set up
 
-After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
+After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Microsoft Entra user Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
 
 | Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
 | ---------- | ---------------- | ------------ | --------------- | -------------------- |
@@ -100,13 +100,13 @@ After your admin signs up for the Store for Business and Education, they can ass
 > [!NOTE]
 > Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings).
 
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
+In some cases, admins will need to add Microsoft Entra accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
 
 Also, if your organization plans to use a management tool, you'll need to configure your management tool to sync with Store for Business and Education.
 
 ## Get apps and content
 
-Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business and Education catalog. Some apps are free,and some apps charge a price. We're continuing to add more paid apps to the Store for Business and Education. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time. 
+Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business and Education catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business and Education. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time. 
 
 **App types** - These app types are supported in the Store for Business and Education:
 
@@ -130,7 +130,7 @@ App distribution is handled through two channels, either through the Microsoft S
 **Distribute with Store for Business and Education**:
 - Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app.
 - Curate private store for all employees – A private store can include content you've purchased from Microsoft Store for Business, and your line-of-business apps that you've submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
-- To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps. 
+- To use the options above users must be signed in with a Microsoft Entra account on a Windows 10 device. Licenses are assigned as individuals install apps. 
 
 **Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
 - Scoped content distribution – Ability to scope content distribution to specific groups of employees.
@@ -244,7 +244,6 @@ Store for Business and Education is currently available in these markets.
 - Liechtenstein
 - Lithuania
 - Luxembourg
-- Macedonia
 - Madagascar
 - Malawi
 - Malaysia
@@ -268,6 +267,7 @@ Store for Business and Education is currently available in these markets.
 - New Zealand
 - Nicaragua
 - Nigeria
+- North Macedonia
 - Norway
 - Oman
 - Pakistan
@@ -310,7 +310,7 @@ Store for Business and Education is currently available in these markets.
 - Tonga
 - Trinidad and Tobago
 - Tunisia
-- Turkey
+- Türkiye
 - Turks and Caicos Islands
 - Uganda
 - United Arab Emirates
@@ -366,7 +366,7 @@ This table summarize what customers can purchase, depending on which Microsoft S
 
 ## Privacy notice
 
-Store for Business and Education services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+Store for Business and Education services get names and email addresses of people in your organization from Microsoft Entra ID. This information is needed for these admin functions:
 - Granting and managing permissions
 - Managing app licenses 
 - Distributing apps to people (names appear in a list that admins can select from)
@@ -386,4 +386,4 @@ Developers in your organization, or ISVs can create content specific to your org
 
 Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in Store for Business and Education. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in Store for Business and Education will work only on Windows 10.
 
-For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
\ No newline at end of file
+For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index 08a23b9119..e1edf848cc 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -32,7 +32,7 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti
 
 | Store area | Notification message | Customer impact |
 | ---------- | -------------------- | --------------- |
-| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
+| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Microsoft Entra outage. |
 | Manage | We're on it. Something happened on our end with management for apps and software. We're working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history.  |
 | Shop | We're on it. Something happened on our end with purchasing. We're working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
 | Private store | We're on it. Something happened on our end with your organization's private store. People in your organization can't download apps right now. We're working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 3543e2ade4..1d519c7d26 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -42,18 +42,18 @@ You'll need this software to work with Microsoft Store for Business or Education
 -   IT Pros that are administering Microsoft Store for Business and Education need a browser compatible with Microsoft Store for Business and Education running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox. Javascript needs to be supported and enabled. 
 -   Employees using apps from Microsoft Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
 
-Microsoft Azure Active Directory (AD) or Office 365 accounts for your employees:
--   IT Pros need Azure AD or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses.
--   Employees need Azure AD accounts when they access Microsoft Store for Business or Education content from Windows-based devices.
--   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account.
+Microsoft Entra ID or Office 365 accounts for your employees:
+-   IT Pros need Microsoft Entra ID or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses.
+-   Employees need Microsoft Entra accounts when they access Microsoft Store for Business or Education content from Windows-based devices.
+-   If you use a management tool to distribute and manage online-licensed apps, all employees will need a Microsoft Entra account.
 
-For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
+For more information on Microsoft Entra ID, see [About Office 365 and Microsoft Entra ID](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
 
 ### Optional
 
 While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. If you're considering using management tools, check with the management tool vendor to see if they support Microsoft Store for Business and Education. The management tool will need to:
 
--   Integrate with the Windows 10 management framework and Azure AD.
+-   Integrate with the Windows 10 management framework and Microsoft Entra ID.
 -   Sync with Microsoft Store for Business and Education inventory to distribute apps.
 
 ## Proxy configuration
@@ -73,4 +73,3 @@ If your organization restricts computers on your network from connecting to the
   starting with Windows 10, version 1607)
  
 Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
-
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 9ac3ce2446..842c7e3e8e 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -1,6 +1,6 @@
 ---
 title: Roles and permissions in Microsoft Store for Business and Education (Windows 10)
-description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 keywords: roles, permissions
 ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
 ms.reviewer: 
@@ -29,9 +29,9 @@ ms.date: 05/24/2023
 > [!NOTE]
 > As of April 14th, 2021, only free apps are available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
 
-The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 
-Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
+Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Microsoft Entra account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
 
 ## Global user account permissions in Microsoft Store
 
@@ -49,7 +49,7 @@ This table lists the global user accounts and the permissions they have in Micro
 
 ## Microsoft Store roles and permissions
 
-Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
+Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Microsoft Entra account to access Microsoft Store.
 
 This table lists the roles and their permissions.
 
@@ -100,4 +100,4 @@ These permissions allow people to:
 
     <!--- ![Image showing Assign roles to people box in Microsoft Store for Business.](images/wsfb-permissions-assignrole.png) -->
 
-4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
\ No newline at end of file
+4. If you don't find the name you want, you might need to add people to your Microsoft Entra directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index a5b192031e..365a4304f2 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -32,7 +32,7 @@ The Microsoft Store for Business and Education has a group of settings that admi
 | Allow users to shop  | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
 | Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](/education/windows/education-scenarios-store-for-business#basic-purchaser-role). | **Settings - Shop** |
 | App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Shop** |
-| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Management tools | Management tools that are synced with Microsoft Entra ID are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices**  |
 | Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** |
 | Line-of-business (LOB) publishers  | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index d1139f7ada..7a1837372b 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -36,5 +36,5 @@ IT admins can sign up for Microsoft Store for Business and Education, and get st
 | ----- | ----------- |
 | [Microsoft Store for Business and Education overview](./microsoft-store-for-business-overview.md) | Learn about Microsoft Store for Business. |
 | [Prerequisites for Microsoft Store for Business and Education](./prerequisites-microsoft-store-for-business.md) | There are a few prerequisites for using [Microsoft Store for Business and Education.](/microsoft-store/prerequisites-microsoft-store-for-business) |
-| [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
+| [Roles and permissions in Microsoft Store for Business and Education](./roles-and-permissions-microsoft-store-for-business.md)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Microsoft Entra tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
 | [Settings reference: Microsoft Store for Business and Education](./settings-reference-microsoft-store-for-business.md) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. |
diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
index ea6dd9e359..03b03469ee 100644
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -37,7 +37,7 @@ Before purchasing apps that have a fee, you need to add or update your organizat
 
 We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we'll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don't have an address, we'll ask you to enter it during your first purchase.
 
-We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Azure AD tenant that is used with Microsoft Store.
+We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Microsoft Entra tenant that is used with Microsoft Store.
 
 **To update billing account information**
 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
@@ -143,4 +143,4 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof
 You have the following distribution options for offline-licensed apps:
 - Include the app in a provisioning package, and then use it as part of imaging a device.
 - Distribute the app through a management tool.
-For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). -->
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). -->
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index bc31b8b6e5..db4571a9c6 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -1,74 +1,98 @@
 ---
-title: Add or hide optional apps and features on Windows devices | Microsoft Docs
-description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
+title: Add or hide Windows features
+description: Learn how to add Windows optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
-ms.date: 08/30/2021
-ms.topic: article
+ms.date: 08/18/2023
+ms.topic: how-to
 ms.prod: windows-client
 ms.technology: itpro-apps
 ms.localizationpriority: medium
 ms.collection: tier2
-ms.reviewer:
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Add or hide features on the Windows client OS
+# Add or hide Windows features
 
-**Applies to**:
+Windows includes optional features that aren't installed by default, but you can add later. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities), and can be installed at any time. Some of these features are language resources like language packs or handwriting support. On organization-owned devices, you can control access to these other features. You can use group policy or mobile device management (MDM) policies to hide the UI from users, or use Windows PowerShell to enable or disable specific features.
 
-- Windows 10
-- Windows 11
+## Use the Windows Settings app to add or uninstall features
 
-The Windows client operating systems include more features that you and your users can install. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (opens another Microsoft web site), and can be installed at any time. On your organization-owned devices, you may want to control access to these other features.
+### Windows 11
 
-This article:
+1. Open the Start menu and search for **Settings**.
 
-- Shows you how to add features using the user interface.
-- Lists the group policies and Mobile device management (MDM) policies to hide Windows Features.
-- Includes information on using Windows PowerShell to disable specific Windows Features.
+1. In the Settings app, search for "optional" and select **Optional features**.
 
-If you're working on your own device, use the **Settings** app to add features.
+   > [!TIP]
+   > You can also use the following shortcut to open it directly: [`ms-settings:optionalfeatures`](ms-settings:optionalfeatures).
 
-## Add or uninstall features
+1. To add a feature:
 
-1. In the Search bar, search for "apps", and select **Apps and features**.
-2. Select **Optional features** > **Add a feature**.
-3. Select the feature you want to add, like **XPS Viewer**, and then select **Install.**
+    1. Select **View features** next to "Add an optional feature."
+
+    1. Find the feature you want to add, like **XPS Viewer**. Select the box to add it. You can select multiple features.
+
+    1. Select **Next**. Review the list of features you selected, and then select **Install** to add the selected features.
+
+1. To uninstall a feature:
+
+    1. Search for it in the list of **Installed features**.
+
+    1. Expand the section, and select **Uninstall**.
+
+### Windows 10
+
+1. In the Search bar, search for "apps" and select **Apps and features**.
+
+1. Select **Optional features** > **Add a feature**.
+
+1. Select the feature you want to add, like **XPS Viewer**, and then select **Install.**
 
 When the installation completes, the feature is listed in **Apps & features**. In **Apps & features** > **Optional features** > **More Windows features**, there are more features that you and your users can install.
 
 To uninstall a feature, open the **Settings** app. Select the feature, and then select **Uninstall**.
 
-## Use Group Policy or MDM to hide Windows Features
+## Use group policy or MDM policies to hide Windows features
 
-By default, the OS might show Windows Features, and allow users to install and uninstall these optional apps and features.
+By default, the OS might show Windows features and allow users to install and uninstall these optional apps and features. To hide Windows features on your user devices, you can use group policy or an MDM provider like Microsoft Intune.
 
-To hide Windows Features on your user devices, you can use Group Policy (on-premises), or use an MDM provider, such as Microsoft Intune (cloud).
+### Group policy
 
-### Group Policy
+If you use group policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the settings page to add optional features is hidden on the device.
 
-If you use Group Policy, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Windows Features"` policy. By default, this policy may be set to **Not configured**, which means users can add or remove features. When this setting is **Enabled**, the Windows Features is hidden on the device.
-
-You can't use Group Policy to disable specific Windows Features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features) (in this article).
+You can't use group policy to disable specific Windows features, such as XPS Viewer. If you want to disable specific features, use [Windows PowerShell](#use-windows-powershell-to-disable-specific-features).
 
 If you want to hide the entire **Apps** feature in the Settings app, use the `User Configuration\Administrative Template\Control Panel\Programs\Hide "Programs and Features" page` policy.
 
 ### MDM
 
-Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to hide Windows Features.
+Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [settings catalog](/mem/intune/configuration/settings-catalog) to hide Windows features.
 
-If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the Control Panel settings you can configure, see [Control Panel settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings).
+If you want to hide the entire **Apps** feature in the Settings app, you can use a configuration policy on Intune enrolled devices. For more information on the settings you can configure, see [Control Panel and Settings device restrictions in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings).
 
 ## Use Windows PowerShell to disable specific features
 
-To disable specific features, you can use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) command. There isn't a Group Policy that disables specific Windows Features.
+To disable specific features, use the Windows PowerShell [Disable-WindowsOptionalFeature](/powershell/module/dism/disable-windowsoptionalfeature) cmdlet.
 
-If you're looking to automate disabling specific features, you can create a scheduled task. Then, use the scheduled task to run your Windows PowerShell script. For more information about Task Scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page).
+> [!NOTE]
+> There isn't a group policy that disables specific Windows features.
 
-Microsoft Intune can also execute Windows PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension).
+To automate disabling specific features, create a scheduled task to run a PowerShell script. For more information about Windows task scheduler, see [Task Scheduler for developers](/windows/win32/taskschd/task-scheduler-start-page).
 
-## Restore Windows features
+Microsoft Intune can also run PowerShell scripts. For more information, see [Use PowerShell scripts on Windows client devices in Intune](/mem/intune/apps/intune-management-extension).
 
-- If you use Group Policy or MDM to hide Windows Features or the entire Apps feature, you can set the policy to **Not configured**. Then, deploy your policy. When the device receives the policy, the features are configurable.
-- Using Windows PowerShell, you can also enable specific features using the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) command.
+To enable specific features, use the [Enable-WindowsOptionalFeature](/powershell/module/dism/enable-windowsoptionalfeature) cmdlet.
+
+Another useful PowerShell cmdlet is [Get-WindowsOptionalFeature](/powershell/module/dism/get-windowsoptionalfeature). Use this cmdlet to view information about optional features in the current OS or a mounted image. This cmdlet returns the current state of features, and whether a restart may be required when the state changes.
+
+## Related articles
+
+- [Features on Demand overview](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
+
+- [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod)
+
+- [Language and region Features on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-language-fod)
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index e92126877b..4fc8997a6e 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index db32a71242..040eda052e 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index d9607a39ca..b11acc20a7 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index e11cff3d2f..ec381c1293 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
index b73a1de7c6..cf6f1e8a76 100644
--- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index 80ab1602b9..a02875375a 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 5782b539d8..025efdca77 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -7,6 +7,7 @@ ms.date: 06/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index ec704a9bfe..24903fe377 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index 134f74c8d0..9d78748d49 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index ccec12eeac..c8a8e980b5 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 3cfc4a25e9..42e883d6c6 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index ef08860114..f73f89ee26 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index 960c96a092..0f09ca265b 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 1e7968c63d..e869fd86fb 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -7,6 +7,7 @@ ms.date: 06/15/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 87702c1df2..2b7edc6c54 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 2b4f017846..d87457a13f 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index 1160f2c0de..ab350e2a83 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index b472e767b9..9e7f90b5a1 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -7,6 +7,7 @@ ms.date: 06/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
index ef9a170375..687c339a07 100644
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index d5f427090d..95ec5914c4 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
index dbd81a5419..df85debbf2 100644
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index eb01f08fd1..26f5a073a8 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -7,6 +7,7 @@ ms.date: 06/25/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index eb35d19690..3a2f20cbb5 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index fe8a0c0ac9..09a658895f 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index b67e058e20..18a61bee6e 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index 4d6aef98c4..0dd4402170 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 206a2c4dc9..30cddc907d 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index cd1a5e6314..93333681f5 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index c5d16599a9..162c56efbc 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 8fad7898e7..9420f67b5f 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 41a9ea4ae0..4616ec336f 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index 5d28a86d19..117cbd91bd 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 07/10/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 018b8c8984..55dc6b0ec7 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 6c7fbb6ee0..1917d768e9 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 580eebc9fd..3fac560518 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 5088aaaf0f..cbaf3e7123 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 16db5ceeae..19e48512a0 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 3b942f6fc7..4a9f49f03b 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index e4abca5b4d..d1d23d6d74 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 1db6409588..02924fde4f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 482e1e96be..0cb31fa36f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 5f5a47faf9..ee4cbe5751 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index baaaf62754..20e131feb1 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index bbba1c8a0a..e2fd60d1e8 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 623e3ef07e..2b08876aed 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 6b89ffcb68..fd90b055be 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index f782e22867..03ba41c6d2 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index ca51b3b8f9..9c19cab0aa 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -8,6 +8,7 @@ ms.date: 05/02/2022
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: how-to
 ---
 
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 3e0f982303..cc71b17cb7 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index d23763d372..5b65a93ac1 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 7ef67197bc..6874ebc260 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index 2798d2e4cf..ecb4183907 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 500a015467..f851ca2a85 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index 3d480833f0..437b20eeb1 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index 604d4ca93a..acc244a595 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index ec07a9f2a4..ae2e2b56c3 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 077dfe70f2..5b258437f3 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 62b5f49184..7457b54f82 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index 995af4a7b2..f5335dd5f0 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index eeeb9120d7..2fdd2ec28d 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 22fab6a3b5..2170f1e25b 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 8892ec9047..fb3a0ccc4e 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index fc381bb0f9..e125255c83 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -10,6 +10,7 @@ ms.date: 09/24/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 4765157af7..c870425b03 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 789d7cc976..d65f100109 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 78d3d9b6a6..b5ca6b5e48 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 0322083aa8..db81d9833c 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index f707da5e2e..6e0950dbf8 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 7eb6a6ee5d..4b844f29a5 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index bca6d21d80..7b2ef74380 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 3d32c1834d..cb7e615a02 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 4ba8df6b30..c391399dd5 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 7f9891e8dc..04e30a407c 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index d586c7d002..6d1dfd402c 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index 88d29b3939..e0bf768b4b 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index f83a6efb92..3f800f36de 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 6249fb1463..61f49df9b6 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index c0d76e731a..02914cd55b 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 2faf00ec3f..478b1f8523 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index 8aeafdf96d..5cfdf7b332 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index 7960a6176f..95fad14736 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -7,6 +7,7 @@ ms.reviewer:
 author: aczechowski
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index e25a1a1ee7..9df6ba5e4c 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -7,6 +7,7 @@ ms.date: 04/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 5f377d48e3..2a86b56aff 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index 2c52dce04b..8d1b3b7041 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 09/27/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index 55b03dee3e..2c82592252 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 9c0c3225bb..f2df77ee92 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 523b7ad256..00fd89be8c 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index cd42eb1ffc..0108207c9e 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 6b551661d4..ce0c73c061 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -7,6 +7,7 @@ ms.date: 03/08/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 9482c32049..5c13af93a6 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index 6950c97d05..a19c89cc1c 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 04be00dcbf..1b289057fe 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index ffb10c4b02..059ef24c65 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -7,6 +7,7 @@ ms.date: 04/16/2018
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.topic: article
 ms.technology: itpro-apps
 ---
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index bb3c4874f4..5feee6e5a9 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 74aec2aba2..6ad489e6d0 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index 5678e04c06..8e916937ed 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index bb291a0484..d9769d9ac3 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 66b4aa8372..3cdd99110d 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index c0d29c01af..92b64eb2ec 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index d51f9556a1..ed8de7183d 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -7,6 +7,7 @@ ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
 ms.author: aaroncz
+ms.collection: must-keep
 ms.technology: itpro-apps
 ---
 
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
deleted file mode 100644
index d96a55ee1f..0000000000
--- a/windows/application-management/apps-in-windows-10.md
+++ /dev/null
@@ -1,163 +0,0 @@
----
-title: Learn about the different app types in Windows 10/11 | Microsoft Docs
-description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.date: 02/09/2023
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-apps
-ms.localizationpriority: medium
-ms.collection: tier2
-ms.reviewer:
----
-
-# Overview of apps on Windows client devices
-
-**Applies to**:
-
-- Windows 10
-- Windows 11
-
-## Before you begin
-
-As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use the Microsoft Intune family of products. This family includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
-
-In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
-
-- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
-- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
-- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
-
-## App types
-
-There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices.
-
-- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
-
-  For more information on the Microsoft 365 license options, and what you get, see [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
-
-- **Power Apps**: These apps connect to business data available online and on-premises, and can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. For more information, see [What is Power Apps?](/powerapps/powerapps-overview).
-
-- **.NET apps**: These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include:
-
-  - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development).
-  - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
-
-- **Windows apps**:
-
-  > [!TIP]
-  > Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
-
-  - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
-
-    - **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
-
-    - **Installed**: Installed as part of the OS.
-
-  - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
-
-    For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide).
-
-  - **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET.
-
-    For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
-
-  - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
-
-- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
-
-  Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a Web App](https://azure.microsoft.com/get-started/web-app/). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview).
-
-  Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
-
-## Android&trade;️ apps
-
-Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android&trade;️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
-
-For more information, see:
-
-- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
-- [Windows Subsystem for Android developer information](/windows/android/wsa)
-
-## Add or deploy apps to devices
-
-When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
-
-> [!NOTE]
-> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
->Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps.
-
-- **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.
-
-  If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10).
-
-  For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
-
-- **Mobile device management (MDM)**: Use an MDM provider, like Microsoft Intune (cloud) or Configuration Manager (on-premises), to deploy apps. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, add Store apps, and more.
-
-  For more information, see:
-
-  - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
-  - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
-
-- **Microsoft Store**: When you use the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store.
-
-  To help manage the Microsoft Store on your devices, you can use policies:
-
-  - On premises, you can use Administrative Templates in Group Policy to control access to the Microsoft Store app:
-    - `User Configuration\Administrative Templates\Windows Components\Store`
-    - `Computer Configuration\Administrative Templates\Windows Components\Store`
-  - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to control access to the Microsoft Store app.
-
-  For more information, see:
-
-  - [Microsoft Store for Business and Education](/microsoft-store/)
-  - [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423)
-
-- **MSIX for desktop apps**: MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX.
-
-  To deploy MSIX packages and their apps, you can:
-
-  - Use an MDM provider, like Microsoft Intune and Configuration Manager.
-  - Use an App Installer. User users double-click an installer file, or select a link on a web page.
-  - And more.
-
-  For more information, see:
-
-  - [What is MSIX?](/windows/msix/overview)
-  - [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise)
-
-- **Windows Package Manager**: Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from the Microsoft Store or from GitHub (and more), and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers.
-
-  If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option for your organization.
-
-  For more information, see [Windows Package Manager](/windows/package-manager).
-
-- **Azure Virtual desktop with MSIX app attach**: With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups.
-
-  The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
-
-  If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization.
-
-  For more information, see:
-
-  - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
-  - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
-
-- **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps.
-
-  > [!NOTE]
-  > [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
-
-  On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
-
-  The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
-
-  To help manage App-V on your devices, you can use policies:
-
-  - On premises, you can use Administrative Templates in Group Policy to deploy App-V policies (`Computer Configuration\Administrative Templates\System\App-V`).
-  - Using Microsoft Intune, you can use [Administrative Templates](/mem/intune/configuration/administrative-templates-windows) (opens another Microsoft web site) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) (opens another Microsoft web site) to deploy App-V policies.
-
-
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index b8d3bddc46..8b50896c5a 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -60,7 +60,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index adca0baba0..b08cd77d57 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -1,39 +1,46 @@
 ### YamlMime:Landing
 
 title: Windows application management
-summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions.
+summary: Learn about managing applications in Windows client, including common app types.
 
 metadata:
   title: Windows application management
-  description: Learn about managing applications in Windows 10 and Windows 11.
+  description: Learn about managing applications in Windows client.
   author: aczechowski
   ms.author: aaroncz
   manager: aaroncz
-  ms.date: 08/24/2021
+  ms.date: 08/18/2023
   ms.topic: landing-page
   ms.prod: windows-client
   ms.collection:
     - tier1
     - highpri
 
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
+
 landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
-  # Card (optional)
-  - title: Manage Windows applications
+  - title: Manage applications
     linkLists:
-      - linkListType: overview
+      - linkListType: how-to-guide
         links:
-          - text: Understand apps in Windows client OS
-            url: apps-in-windows-10.md
-          - text: How to add features
+          - text: Overview of apps in Windows
+            url: overview-windows-apps.md
+          - text: Add or hide Windows features
             url: add-apps-and-features.md
           - text: Sideload LOB apps
             url: sideload-apps-in-windows-10.md
           - text: Keep removed apps from returning during an update
             url: remove-provisioned-apps-during-update.md
 
-  # Card (optional)
+  - title: Manage services
+    linkLists:
+      - linkListType: reference
+        links:
+          - text: Per-user services in Windows
+            url: per-user-services-in-windows.md
+          - text: Changes to Service Host grouping in Windows 10
+            url: svchost-service-refactoring.md
+
   - title: Application Virtualization (App-V) 
     linkLists:
       - linkListType: overview
@@ -52,15 +59,3 @@ landingContent:
             url: app-v/appv-troubleshooting.md
           - text: Technical Reference for App-V
             url: app-v/appv-technical-reference.md
-
-  # Card (optional)
-  - title: Windows System Services
-    linkLists:
-      - linkListType: overview
-        links:
-          - text: Changes to Service Host grouping in Windows 10
-            url: svchost-service-refactoring.md
-          - text: Per-user services in Windows
-            url: per-user-services-in-windows.md
-          - text: Per-user services in Windows
-            url: per-user-services-in-windows.md
diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md
new file mode 100644
index 0000000000..135c557b56
--- /dev/null
+++ b/windows/application-management/overview-windows-apps.md
@@ -0,0 +1,200 @@
+---
+title: Overview of apps on Windows client devices
+description: Learn about the different types of apps that run on Windows. For example, Universal Windows Platform (UWP), Windows Presentation Foundation (WPF), Win32, and Windows Forms apps. This article also includes the best way to install these apps.
+author: aczechowski
+ms.author: aaroncz
+manager: aaroncz
+ms.date: 08/28/2023
+ms.topic: overview
+ms.prod: windows-client
+ms.technology: itpro-apps
+ms.localizationpriority: medium
+ms.collection: tier2
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Overview of apps on Windows client devices
+
+There are different types of apps that can run on your Windows client devices. This article provides an overview of some of the common apps used on Windows devices. It also explains the basics of how to install these apps.
+
+## Windows app types
+
+### Microsoft 365 apps
+
+These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
+
+For more information on the Microsoft 365 license options, and what you get, see [Find the right Microsoft 365 enterprise plan for your organization](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing).
+
+For more information on deploying Microsoft 365 apps, see the [Deployment guide for Microsoft 365 Apps](/DeployOffice/deployment-guide-microsoft-365-apps).
+
+### Power Apps
+
+These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers. 
+
+For more information, see [What is Power Apps?](/power-apps/powerapps-overview).
+
+### .NET apps
+
+These apps can be desktop apps that run on the device, or web apps. Some common .NET apps include:
+
+- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF application development](/dotnet/desktop/wpf/app-development).
+
+- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
+
+### Windows apps
+
+> [!TIP]
+> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
+
+- **Apps**: All apps installed in the protected directory `C:\Program Files\WindowsApps`. There are two classes of these apps:
+
+  - **Installed**: Installed as part of the OS.
+
+  - **Provisioned**: Installed the first time you sign in with a new user account.
+
+    > [!TIP]
+    > To get a list of all provisioned apps, use Windows PowerShell:
+    >
+    > ```powershell
+    > Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+    > ```
+    >
+    > The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
+
+- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
+
+    For more information, see [What's a Universal Windows Platform (UWP) app?](/windows/uwp/get-started/universal-application-platform-guide).
+
+- **Win32 apps**: These apps are traditional Windows apps that run on the device, and are often called desktop apps. They require direct access to Windows and the device hardware, and typically don't require a web browser. These apps run in 32-bit mode on 64-bit devices, and don't depend on a managed runtime environment, like .NET.
+
+    For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Top 11 things you can do to make your app great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
+
+- **System apps**: Apps installed in the system root directory `C:\Windows\`. These apps are part of the Windows OS.
+
+    > [!TIP]
+    > To get a list of all the system apps, use Windows PowerShell:
+    >
+    > ```powershell
+    > `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+    > ```
+    >
+    > The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
+
+### Web apps
+
+Web apps and progressive web apps (PWA) run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have network access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.
+
+Web apps are typically created in Visual Studio, and can be created with different languages. For more information, see [Create a web app](/visualstudio/get-started/csharp/tutorial-aspnet-core). When the app is created and ready to be used, you deploy the web app to a web server. Using Azure, you can host your web apps in the cloud, instead of on-premises. For more information, see [App Service overview](/azure/app-service/overview).
+
+When you use an MDM provider like Microsoft Intune, you can create shortcuts to your web apps and progressive web apps on devices. For more information, see [Add web apps to Microsoft Intune](/mem/intune/apps/web-app).
+
+## Android&trade;️ apps
+
+Starting with Windows 11, you can install Android&trade;️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like others apps.
+
+For more information, see the following articles:
+
+- [Apps from the Amazon Appstore](https://support.microsoft.com/windows/apps-from-the-amazon-appstore-abed2335-81bf-490a-92e5-fe01b66e5c48)
+
+- [Windows Subsystem for Android developer information](/windows/android/wsa)
+
+## Add or deploy apps to devices
+
+When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.
+
+### Manually install
+
+On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**.
+
+If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10).
+
+For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
+
+### Management service
+
+Use an MDM provider like Microsoft Intune, or an on-premises solution like Configuration Manager. For example, you can create app policies that deploy Microsoft 365 apps, deploy Win32 apps, create shortcuts to web apps, or add Store apps.
+
+For more information, see:
+
+- [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
+- [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
+
+### Microsoft Store
+
+When you use the Microsoft Store app, Windows users can download apps from the public store. They can also download apps provided by your organization, which is called the *private store*. If your organization creates its own apps, you can use [Windows Package Manager](/windows/package-manager) to add apps to the private store.
+
+> [!NOTE]
+> Retirement of the Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11.
+>
+> For more information, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/bc-p/3771217). This blog post describes the new Microsoft Store experience for both Windows 11 and Windows 10. To learn about other options for getting and managing apps, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
+
+To help manage the Microsoft Store on your devices, you can use policies:
+
+- On premises, you can use administrative templates in group policy to control access to the Microsoft Store app:
+  - `User Configuration\Administrative Templates\Windows Components\Store`
+  - `Computer Configuration\Administrative Templates\Windows Components\Store`
+
+- Using Microsoft Intune, you can use [administrative templates](/mem/intune/configuration/administrative-templates-windows) or the [Settings Catalog](/mem/intune/configuration/settings-catalog) to control access to the Microsoft Store app.
+
+### MSIX for desktop apps
+
+MSIX packages your UWP, Win32, WPF, and WinForm desktop application files. MSIX reliably installs apps, helps optimize disk storage space, and reduces duplicate files. If your organization typically uses `.EXE` or `.MSI` files to install desktop apps, then you should look into MSIX.
+
+To deploy MSIX packages and their apps, you can:
+
+- Use a management service, like Microsoft Intune and Configuration Manager.
+- Use an App Installer. User users double-click an installer file, or select a link on a web page.
+
+For more information, see the following articles:
+
+- [What is MSIX?](/windows/msix/overview)
+- [MSIX app distribution for enterprises](/windows/msix/desktop/managing-your-msix-deployment-enterprise)
+
+### Windows Package Manager
+
+Windows Package Manager is a command line tool commonly used by developers to install Windows apps. Using the command line, you can get apps from services like the Microsoft Store or GitHub, and install these apps on Windows devices. It's helpful if you want to bypass user interfaces for getting apps from organizations and from developers.
+
+If your organization uses `.EXE`, `.MSIX`, or `.MSI` files, then Windows Package Manager might be the right deployment option.
+
+For more information, see [Windows Package Manager](/windows/package-manager).
+
+### Azure Virtual desktop with MSIX app attach
+
+With Azure virtual desktop, you can virtualize the Windows client OS desktop, and use virtual apps on this desktop. With MSIX app attach, you dynamically deliver MSIX packaged apps to users and user groups.
+
+The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+If you currently use App-V, and want to reduce your on-premises footprint, then **Azure Virtual desktop with MSIX app attach** might be the right deployment for your organization.
+
+For more information, see the following articles:
+
+- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
+
+### Application Virtualization (App-V)
+
+App-V allows Win32 apps to be used as virtual apps.
+
+> [!NOTE]
+> [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)]
+
+On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
+
+The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
+
+## Manage apps
+
+To help manage your devices, and help manage apps on your devices, use a management service like Microsoft Intune and Configuration Manager. For more information, see the following articles:
+
+- [Overview of endpoint management](/mem/endpoint-manager-overview)
+- [Manage your apps and app data in Microsoft Intune](/mem/intune/fundamentals/manage-apps)
+- [Introduction to application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
+
+## Application compatibility
+
+Microsoft is committed to making sure your business-critical apps work on the latest versions of Windows. For more information, see the following articles:
+
+- [Compatibility for Windows 11](/windows/compatibility/windows-11/)
+- [FastTrack App Assure program](/windows/compatibility/app-assure)
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 1b840ef5a8..200ea7e859 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -1,24 +1,21 @@
 ---
-title: Per-user services in Windows 10 and Windows Server
+title: Per-user services
 description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.date: 09/14/2017
-ms.topic: article
+ms.topic: how-to
 ms.prod: windows-client
 ms.technology: itpro-apps
 ms.localizationpriority: medium
 ms.collection: tier2
-ms.reviewer:
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server</a>
 ---
 
-# Per-user services in Windows 10 and Windows Server 
-
-**Applies to**:
-
-- Windows 10
-- Windows Server
+# Per-user services in Windows
 
 Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. 
 
@@ -80,9 +77,9 @@ In light of these restrictions, you can use the following methods to manage per-
 
 You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). For more information, visit [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings).
 
-For example: 
+For example:
 
-```
+```ini
 [Unicode]
 Unicode=yes
 [Version]
@@ -128,7 +125,7 @@ If you can't use Group Policy Preferences to manage the per-user services, you c
 To disable the Template Services, change the Startup Type for each service to 4 (disabled). 
 For example:
 
-```code
+```cmd
 REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
 REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
 REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
@@ -163,9 +160,10 @@ You can create a script to change the Startup Type for the per-user services. Th
 
 Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc990290(v=ws.11)?f=255&MSPPError=-2147217396):
 
-```
+```cmd
 sc.exe configure <service name> start= disabled
 ```
+
 The space after "=" is intentional.
 
 Sample script using the [Set-Service PowerShell cmdlet](/previous-versions/windows/it-pro/windows-powershell-1.0/ee176963(v=technet.10)):
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index 93ceaacb2c..cb4377d22d 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -63,7 +63,7 @@ To install the Company Portal app, you have some options:
   - [What is co-management?](/mem/configmgr/comanage/overview)
   - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal)
 
-- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
+- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Microsoft Entra organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
 
   - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
 
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index a7d6df5901..23b08e028e 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -1,22 +1,21 @@
 ---
-title: How to keep apps removed from Windows 10 from returning during an update
-description: How to keep provisioned apps that were removed from your machine from returning during an update.
+title: Keep removed apps from returning during an update
+description: When you remove provisioned apps from devices, this article explains how to keep those apps from returning during an update.
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.date: 05/25/2018
-ms.topic: article
+ms.topic: how-to
 ms.prod: windows-client
 ms.technology: itpro-apps
 ms.localizationpriority: medium
 ms.collection: tier1
-ms.reviewer:
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
-# How to keep apps removed from Windows 10 from returning during an update
 
-**Applies to**:
+# Keep removed apps from returning during an update
 
-- Windows 10
 
 When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue.
 
@@ -97,7 +96,7 @@ You're now ready to update your computer. After the update, check the list of ap
 
 ## Registry keys for provisioned apps
 
-```syntax
+```console
 Windows Registry Editor Version 5.00
 ;1709 Registry Keys
 
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 70f3c50177..be0e459235 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,24 +1,21 @@
 ---
-title: Sideload LOB apps in Windows client OS | Microsoft Docs
-description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device.
+title: Sideload line of business apps
+description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems. When you sideload an app, you deploy a signed app package to a device.
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.date: 12/07/2017
-ms.topic: article
+ms.topic: how-to
 ms.prod: windows-client
 ms.technology: itpro-apps
 ms.localizationpriority: medium
 ms.collection: tier2
-ms.reviewer:
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Sideload line of business (LOB) apps in Windows client devices
-
-**Applies to**:
-
-- Windows 10
-- Windows 11
+# Sideload line of business (LOB) apps
 
 > [!NOTE]
 > Starting with Windows 10 2004, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration.
@@ -27,7 +24,7 @@ Sideloading apps is when you install apps that aren't from an official source, s
 
 When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1
 
-Starting with Windows 10, sideloading is different than earlier versions of Windows:
+Starting with Windows 10, sideloading is different than earlier versions of Windows:
 
 - You can unlock a device for sideloading using an enterprise policy, or through the **Settings** app.
 - License keys aren't required.
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index eef38fed3e..7bc1bcf117 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -1,23 +1,20 @@
 ---
-title: Service Host service refactoring in Windows 10 version 1703
-description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
+title: Service host grouping in Windows 10
+description: Learn about the Service Host (SvcHost) service refactoring introduced in Windows 10 version 1703.
 author: aczechowski
 ms.author: aaroncz
 manager: aaroncz
 ms.date: 07/20/2017
-ms.topic: article
+ms.topic: concept-article
 ms.prod: windows-client
 ms.technology: itpro-apps
 ms.localizationpriority: medium
-ms.colletion: tier1
-ms.reviewer:
+ms.colletion: tier2
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Changes to Service Host grouping in Windows 10
-
-**Applies to**:
-
-- Windows 10
+# Service host grouping in Windows 10
 
 The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
 
diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml
index 0e7673be7a..be08bb1e0f 100644
--- a/windows/application-management/toc.yml
+++ b/windows/application-management/toc.yml
@@ -3,18 +3,22 @@ items:
   href: index.yml
 - name: Application management
   items:
-    - name: Common app types
-      href: apps-in-windows-10.md
-    - name: Add features in Windows client
+    - name: Overview of apps in Windows
+      href: overview-windows-apps.md
+    - name: Add or hide Windows features
       href: add-apps-and-features.md
-    - name: Sideload apps
+    - name: Sideload line of business (LOB) apps
       href: sideload-apps-in-windows-10.md
     - name: Private app repo on Windows 11
       href: private-app-repository-mdm-company-portal-windows-11.md
     - name: Remove background task resource restrictions
       href: enterprise-background-activity-controls.md
-    - name: Enable or block Windows Mixed Reality apps in the enterprise
-      href: /windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality
+    - name: Service host grouping in Windows 10
+      href: svchost-service-refactoring.md
+    - name: Per-user services in Windows
+      href: per-user-services-in-windows.md
+    - name: Keep removed apps from returning during an update
+      href: remove-provisioned-apps-during-update.md
 - name: Application Virtualization (App-V)
   items: 
     - name: App-V for Windows overview
@@ -251,14 +255,3 @@ items:
               href: app-v/appv-viewing-appv-server-publishing-metadata.md
             - name: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
               href: app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
-
-- name: Reference
-  items: 
-    - name: Service Host process refactoring
-      href: svchost-service-refactoring.md
-    - name: Per-user services in Windows
-      href: per-user-services-in-windows.md
-    - name: Disabling System Services in Windows Server
-      href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
-    - name: How to keep apps removed from Windows from returning during an update
-      href: remove-provisioned-apps-during-update.md
\ No newline at end of file
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 7f11d203d5..efb65c5991 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -1,6 +1,6 @@
 ---
-title: Azure Active Directory integration with MDM
-description: Azure Active Directory is the world's largest enterprise cloud identity management service.
+title: Microsoft Entra integration with MDM
+description: Microsoft Entra ID is the world's largest enterprise cloud identity management service.
 ms.topic: article
 ms.collection:
 - highpri
@@ -8,90 +8,94 @@ ms.collection:
 ms.date: 08/10/2023
 ---
 
-# Azure Active Directory integration with MDM
+# Microsoft Entra integration with MDM
 
-Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
+Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow.
 
 Once a device is enrolled in MDM, the MDM:
 
 - Can enforce compliance with organization policies, add or remove apps, and more.
-- Can report a device's compliance in Azure AD.
-- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies.
+- Can report a device's compliance in Microsoft Entra ID.
+- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
 
-To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD.
+To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID.
 
 ## Integrated MDM enrollment and UX
 
-There are several ways to connect your devices to Azure AD:
+There are several ways to connect your devices to Microsoft Entra ID:
 
-- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join)
-- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join)
+- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
 - [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
 
-In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
+In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
 
-In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
+In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
 
-For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
+For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
 
-Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar.
+Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar.
 
 > [!NOTE]
-> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account.
+> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account.
 
-### MDM endpoints involved in Azure AD integrated enrollment
+<a name='mdm-endpoints-involved-in-azure-ad-integrated-enrollment'></a>
 
-Azure AD MDM enrollment is a two-step process:
+### MDM endpoints involved in Microsoft Entra integrated enrollment
+
+Microsoft Entra MDM enrollment is a two-step process:
 
 1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
 1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
 
-To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
+To support Microsoft Entra enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
 
 - **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their organization can control their device. The **Terms of Use** page is responsible for collecting user's consent before the actual enrollment phase begins.
 
-    It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
+    It's important to understand the Terms of Use flow is an "opaque box" to Windows and Microsoft Entra ID. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
 
-    The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
+    The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Microsoft Entra ID.
 
-- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins.
+- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Microsoft Entra ID. Automatic MDM enrollment begins.
 
-    The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
+    The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Microsoft Entra ID. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Microsoft Entra ID (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Microsoft Entra ID. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
 
-    [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
+    [![Microsoft Entra enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox)
 
-    The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
+    The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
 
-## Make MDM a reliable party of Azure AD
+<a name='make-mdm-a-reliable-party-of-azure-ad'></a>
 
-To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
+## Make MDM a reliable party of Microsoft Entra ID
+
+To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
 
 ### Cloud-based MDM
 
-A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
+A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
 
-The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
+The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
 
 > [!NOTE]
-> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow these step-by-step guides:
+> For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides:
 >
-> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
-> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
+> - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
+> - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
 
-The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs.
+The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
 
 > [!NOTE]
-> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
+> All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
 
 ### On-premises MDM
 
-An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD.
+An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Microsoft Entra ID.
 
-To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use.
+To add an on-premises MDM application to the tenant, use the Microsoft Entra service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use.
 
-Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
+Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Microsoft Entra ID when reporting device compliance.
 
-For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](/previous-versions/azure/dn499820(v=azure.100)).
+For more information about registering applications with Microsoft Entra ID, see [Basics of Registering an Application in Microsoft Entra ID](/previous-versions/azure/dn499820(v=azure.100)).
 
 ### Key management and security guidelines
 
@@ -99,22 +103,24 @@ The application keys used by your MDM service are a sensitive resource. They sho
 
 For security best practices, see [Microsoft Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
 
-For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Azure AD tenant.
+For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Microsoft Entra tenant.
 
-For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
+For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
 
-## Publish your MDM app to Azure AD app gallery
+<a name='publish-your-mdm-app-to-azure-ad-app-gallery'></a>
 
-IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
+## Publish your MDM app to Microsoft Entra app gallery
+
+IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID.
 
 ### Add cloud-based MDM to the app gallery
 
 > [!NOTE]
-> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
+> You should work with the Microsoft Entra engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application
 
-To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing)
+To publish your application, [submit a request to publish your application in Microsoft Entra application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing)
 
-The following table shows the required information to create an entry in the Azure AD app gallery.
+The following table shows the required information to create an entry in the Microsoft Entra app gallery.
 
 | Item                | Description                                                                                                                                                                                                    |
 |---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -132,12 +138,12 @@ However, key management is different for on-premises MDM. You must obtain the cl
 
 ## Themes
 
-The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right.
+The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Microsoft Entra join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right.
 
 There are three distinct scenarios:
 
-1. MDM enrollment as part of Azure AD Join in Windows OOBE.
-1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
+1. MDM enrollment as part of Microsoft Entra join in Windows OOBE.
+1. MDM enrollment as part of Microsoft Entra join, after Windows OOBE from **Settings**.
 1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
 
 These scenarios support Windows Pro, Enterprise, and Education.
@@ -158,7 +164,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
 
 ## Terms of Use protocol semantics
 
-The MDM server hosts the **Terms of Use** endpoint. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
+The MDM server hosts the **Terms of Use** endpoint. During the Microsoft Entra join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
 
 ### Redirect to the Terms of Use endpoint
 
@@ -175,7 +181,7 @@ The following parameters are passed in the query string:
 
 ### Access token
 
-Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
+Microsoft Entra ID issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
 
 **Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw...
 
@@ -200,7 +206,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm
 Authorization: Bearer eyJ0eXAiOi
 ```
 
-The MDM is expected to validate the signature of the access token to ensure it is issued by Azure AD and that the recipient is appropriate.
+The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate.
 
 ### Terms of Use content
 
@@ -225,7 +231,7 @@ At this point, the user is on the Terms of Use page shown during the OOBE or fro
   - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
   - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
 
-Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. The user can't decline the MDM enrollment if configured by the administrator for the Azure AD Join.
+Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Microsoft Entra join process. Don't show the decline button in the Microsoft Entra join process. The user can't decline the MDM enrollment if configured by the administrator for the Microsoft Entra join.
 
 We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
 
@@ -251,14 +257,16 @@ The following table shows the error codes.
 |--------------------------------------------------------------------------------------------------|-------------|---------------------|-----------------------------|
 | api-version                                                                                      | 302         | invalid_request     | unsupported version         |
 | Tenant or user data are missing or other required prerequisites for device enrollment aren't met | 302         | unauthorized_client | unauthorized user or tenant |
-| Azure AD token validation failed                                                                 | 302         | unauthorized_client | unauthorized_client         |
+| Microsoft Entra token validation failed                                                                 | 302         | unauthorized_client | unauthorized_client         |
 | internal service error                                                                           | 302         | server_error        | internal service error      |
 
-## Enrollment protocol with Azure AD
+<a name='enrollment-protocol-with-azure-ad'></a>
+
+## Enrollment protocol with Microsoft Entra ID
 
 With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
 
-|Detail|Traditional MDM enrollment|Azure AD Join (organization-owned device)|Azure AD adds a work account (user-owned device)|
+|Detail|Traditional MDM enrollment|Microsoft Entra join (organization-owned device)|Microsoft Entra ID adds a work account (user-owned device)|
 |--- |--- |--- |--- |
 |MDM auto-discovery using email address to retrieve MDM discovery URL|Enrollment|Not applicable<br>Discovery URL provisioned in Azure||
 |Uses MDM discovery URL|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|
@@ -268,7 +276,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 |EnrollmentServiceURL|Required (all auth)|Used (all auth)|Used (all auth)|
 |EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL|Highly recommended|Highly recommended|Highly recommended|
 |AuthenticationServiceURL used|Used (Federated auth)|Skipped|Skipped|
-|BinarySecurityToken|Custom per MDM|Azure AD issued token|Azure AD issued token|
+|BinarySecurityToken|Custom per MDM|Microsoft Entra ID issued token|Microsoft Entra ID issued token|
 |EnrollmentType|Full|Device|Full|
 |Enrolled certificate type|User certificate|Device certificate|User certificate|
 |Enrolled certificate store|My/User|My/System|My/User|
@@ -276,41 +284,45 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
 |CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
 
-## Management protocol with Azure AD
+<a name='management-protocol-with-azure-ad'></a>
 
-There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
+## Management protocol with Microsoft Entra ID
 
-- **Multiple user management for Azure AD-joined devices**
+There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
 
-  In this scenario, the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest is logged on to the device.
+- **Multiple user management for Microsoft Entra joined devices**
+
+  In this scenario, the MDM enrollment applies to every Microsoft Entra user who signs in to the Microsoft Entra joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Microsoft Entra user tokens. Each management session contains an extra HTTP header that contains a Microsoft Entra user token. This information is provided in the DM package sent to the management server. However, in some circumstances Microsoft Entra user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Microsoft Entra join process. Until Microsoft Entra join process is finished and Microsoft Entra user signs on to the machine, Microsoft Entra user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Microsoft Entra user sign in to machine and the initial management session doesn't contain a Microsoft Entra user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Microsoft Entra token in the OMA-DM payload is when a guest is logged on to the device.
 
 - **Adding a work account and MDM enrollment to a device**:
 
-  In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
+  In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Microsoft Entra tokens that may be sent over during management session. Whether Microsoft Entra token is present or missing, the management server sends both user and device policies to the device.
 
-- **Evaluating Azure AD user tokens**:
+- **Evaluating Microsoft Entra user tokens**:
 
-  The Azure AD token is in the HTTP Authorization header in the following format:
+  The Microsoft Entra token is in the HTTP Authorization header in the following format:
 
   ```console
   Authorization:Bearer <Azure AD User Token Inserted here>
   ```
 
-  More claims may be present in the Azure AD token, such as:
+  More claims may be present in the Microsoft Entra token, such as:
 
   - User - user currently logged in
   - Device compliance - value set the MDM service into Azure
   - Device ID - identifies the device that is checking in
   - Tenant ID
 
-  Access tokens issued by Azure AD are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
+  Access tokens issued by Microsoft Entra ID are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
 
   - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
-  - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
+  - Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
 
-## Device Alert 1224 for Azure AD user token
+<a name='device-alert-1224-for-azure-ad-user-token'></a>
 
-An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example:
+## Device Alert 1224 for Microsoft Entra user token
+
+An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example:
 
 ```xml
 Alert Type: com.microsoft/MDM/AADUserToken
@@ -338,8 +350,8 @@ An alert is sent to the MDM server in DM package \#1.
 - Alert type - `com.microsoft/MDM/LoginStatus`
 - Alert format - `chr`
 - Alert data - provide sign-in status information for the current active logged in user.
-  - Signed-in user who has an Azure AD account - predefined text: user.
-  - Signed-in user without an Azure AD account- predefined text: others.
+  - Signed-in user who has a Microsoft Entra account - predefined text: user.
+  - Signed-in user without a Microsoft Entra account- predefined text: others.
   - No active user - predefined text:none
 
 Here's an example.
@@ -360,14 +372,16 @@ Here's an example.
 </SyncBody>
 ```
 
-## Report device compliance to Azure AD
+<a name='report-device-compliance-to-azure-ad'></a>
 
-Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
+## Report device compliance to Microsoft Entra ID
+
+Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID.
 
 For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
 
-- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
-- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
+- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
+- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID.
 
 ### Use Microsoft Graph API
 
@@ -390,9 +404,9 @@ Content-Type: application/json
 
 Where:
 
-- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined.
-- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD.
-- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
+- **contoso.com** - This value is the name of the Microsoft Entra tenant to whose directory the device has been joined.
+- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Microsoft Entra ID.
+- **eyJ0eXAiO**......... - This value is the bearer access token issued by Microsoft Entra ID to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
 - **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
 - **api-version** - Use this parameter to specify which version of the graph API is being requested.
 
@@ -401,9 +415,11 @@ Response:
 - Success - HTTP 204 with No Content.
 - Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
 
-## Data loss during unenrollment from Azure Active Directory Join
+<a name='data-loss-during-unenrollment-from-azure-active-directory-join'></a>
 
-When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
+## Data loss during unenrollment from Microsoft Entra join
+
+When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenrollment.](images/azure-ad-unenrollment.png)
 
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 636a885451..e1c894e2c5 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -7,12 +7,12 @@ ms.date: 08/10/2023
 
 # Automatic MDM enrollment in the Intune admin center
 
-Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
+Windows devices can be enrolled in to Intune automatically when they join or register with Microsoft Entra ID. Automatic enrollment can be configured in Azure portal.
 
-1. Go to your Azure AD portal.
+1. Go to your Microsoft Entra admin center.
 1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
 1. Select **Microsoft Intune** and configure the enrollment options. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group).
 
    ![Configure the Blade.](images/azure-intune-configure-scope.png)
 
-1. Select **Save** to configure MDM autoenrollment for Azure AD joined devices and bring-your-own-device scenarios.
+1. Select **Save** to configure MDM autoenrollment for Microsoft Entra joined devices and bring-your-own-device scenarios.
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index 84c1486cec..522b5d05b6 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -7,7 +7,7 @@ ms.date: 08/10/2023
 
 # Bulk enrollment using Windows Configuration Designer
 
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
 
 ## Typical use cases
 
@@ -23,10 +23,10 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
 
 > [!NOTE]
 >
-> - Bulk-join is not supported in Azure Active Directory Join.
+> - Bulk-join is not supported in Microsoft Entra join.
 > - Bulk enrollment does not work in Intune standalone environment.
 > - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
-> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> - To change bulk enrollment settings, login to **Microsoft Entra ID**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
 > - Bulk Token creation is not supported with federated accounts.
 
 ## What you need
diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
index 56f57c950e..2e3e741284 100644
--- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
@@ -1,6 +1,6 @@
 ---
-title: Connect to remote Azure Active Directory joined device
-description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
+title: Connect to remote Microsoft Entra joined device
+description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device.
 ms.localizationpriority: medium
 ms.date: 08/10/2023
 ms.topic: article
@@ -9,36 +9,38 @@ ms.collection:
 - tier2
 ---
 
-# Connect to remote Azure Active Directory joined device
+# Connect to remote Microsoft Entra joined device
 
-Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP).
+Windows supports remote connections to devices joined to Active Directory s well as devices joined to Microsoft Entra ID using Remote Desktop Protocol (RDP).
 
 - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
-- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
+- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-azure-ad-authentication).
 
 ## Prerequisites
 
 - Both devices (local and remote) must be running a supported version of Windows.
 - Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**.
   - It's recommended to select **Require devices to use Network Level Authentication to connect** option.
-- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
+- If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
 - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device.
 
-## Connect with Azure AD Authentication
+<a name='connect-with-azure-ad-authentication'></a>
 
-Azure AD Authentication can be used on the following operating systems for both the local and remote device:
+## Connect with Microsoft Entra authentication
+
+Microsoft Entra authentication can be used on the following operating systems for both the local and remote device:
 
 - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
 - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
 - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
 
-There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
+There's no requirement for the local device to be joined to a domain or Microsoft Entra ID. As a result, this method allows you to connect to the remote Microsoft Entra joined device from:
 
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
 - Active Directory joined device.
 - Workgroup device.
 
-Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices.
+Microsoft Entra authentication can also be used to connect to Microsoft Entra hybrid joined devices.
 
 To connect to the remote computer:
 
@@ -48,29 +50,31 @@ To connect to the remote computer:
 
     > [!NOTE]
     > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.
-    > The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device.
+    > The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.
 
 - When prompted for credentials, specify your user name in `user@domain.com` format.
-- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
+- You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
 
 > [!IMPORTANT]
-> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.
+> If your organization has configured and is using [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.
 
 ### Disconnection when the session is locked
 
-The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
+The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
 
-Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.
+Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies.
 
-## Connect without Azure AD Authentication
+<a name='connect-without-azure-ad-authentication'></a>
 
-By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from:
+## Connect without Microsoft Entra authentication
 
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
-- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
+By default, RDP doesn't use Microsoft Entra authentication, even if the remote PC supports it. This method allows you to connect to the remote Microsoft Entra joined device from:
+
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
+- [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
 
 > [!NOTE]
-> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
+> Both the local and remote device must be in the same Microsoft Entra tenant. Microsoft Entra B2B guests aren't supported for Remote desktop.
 
 To connect to the remote computer:
 
@@ -79,26 +83,26 @@ To connect to the remote computer:
 - When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format.
 
 > [!TIP]
-> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**.
+> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is Microsoft Entra joined. If you are signing in to your work account, try using your work email address**.
 
 > [!NOTE]
 > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
 
 ### Supported configurations
 
-This table lists the supported configurations for remotely connecting to an Azure AD joined device without using Azure AD authentication:
+This table lists the supported configurations for remotely connecting to a Microsoft Entra joined device without using Microsoft Entra authentication:
 
 | **Criteria**                               | **Client operating system**       | **Supported credentials**                                          |
 |--------------------------------------------|-----------------------------------|--------------------------------------------------------------------|
-| RDP from **Azure AD registered device**    | Windows 10, version 2004 or later | Password, smart card                                               |
-| RDP from **Azure AD joined device**        | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
-| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
+| RDP from **Microsoft Entra registered device**    | Windows 10, version 2004 or later | Password, smart card                                               |
+| RDP from **Microsoft Entra joined device**        | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
+| RDP from **Microsoft Entra hybrid joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
 
 > [!NOTE]
-> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
+> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Microsoft Entra joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
 
 > [!NOTE]
-> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
+> When a Microsoft Entra group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Microsoft Entra group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
 
 ## Add users to Remote Desktop Users group
 
@@ -106,7 +110,7 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
 
 - **Adding users manually**:
 
-  You can specify individual Azure AD accounts for remote connections by running the following command, where `<userUPN>` is the UPN of the user, for example `user@domain.com`:
+  You can specify individual Microsoft Entra accounts for remote connections by running the following command, where `<userUPN>` is the UPN of the user, for example `user@domain.com`:
 
   ```cmd
   net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"
@@ -116,7 +120,7 @@ Remote Desktop Users group is used to grant users and groups permissions to remo
 
 - **Adding users using policy**:
 
-  Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
+  Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Microsoft Entra joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
 
 ## Related articles
 
diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md
index e83331a476..5c867f498d 100644
--- a/windows/client-management/client-tools/mandatory-user-profile.md
+++ b/windows/client-management/client-tools/mandatory-user-profile.md
@@ -51,7 +51,7 @@ First, you create a default user profile with the customizations that you want,
 
 1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
 
-1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
+1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/overview-windows-apps).
 
    > [!NOTE]
    > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 615806cfd5..58eceea5e1 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -19,7 +19,7 @@ All that's required to use Quick Assist is suitable network and internet connect
 
 ### Authentication
 
-The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
+The helper can authenticate when they sign in by using a Microsoft account (MSA) or Microsoft Entra ID. Local Active Directory authentication isn't currently supported.
 
 ### Network considerations
 
@@ -36,7 +36,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
 | `*.registrar.skype.com` | Required for Azure Communication Service. |
 | `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
 | `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
-| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). |
+| `aadcdn.msauth.net` | Required for logging in to the application (Microsoft Entra ID). |
 | `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
 | `login.microsoftonline.com` | Required for Microsoft login service. |
 | `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml
index 311cb0c84f..115ff9afd8 100644
--- a/windows/client-management/client-tools/toc.yml
+++ b/windows/client-management/client-tools/toc.yml
@@ -3,7 +3,7 @@ items:
     href: administrative-tools-in-windows.md
   - name: Use Quick Assist to help users
     href: quick-assist.md
-  - name: Connect to remote Azure Active Directory-joined PC
+  - name: Connect to remote Microsoft Entra joined PC
     href: connect-to-remote-aadj-pc.md
   - name: Create mandatory user profiles
     href: mandatory-user-profile.md
diff --git a/windows/client-management/declared-configuration-extensibility.md b/windows/client-management/declared-configuration-extensibility.md
new file mode 100644
index 0000000000..3121be77f0
--- /dev/null
+++ b/windows/client-management/declared-configuration-extensibility.md
@@ -0,0 +1,251 @@
+---
+title: Declared configuration extensibility
+description: Learn more about declared configuration extensibility through native WMI providers.
+ms.date: 09/26/2023
+ms.topic: how-to
+---
+
+# Declared configuration extensibility providers
+
+The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties.
+
+> [!NOTE]
+> Only string properties are currently supported by extensibility providers.
+
+```mof
+[static, Description ("Get resource state based on input configuration file." )]
+uint32 GetTargetResource(
+    [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied.")]
+    string InputResource,
+    [in, Description ("Flags passed to the provider. Reserved for future use." )]
+    uint32 Flags,
+    [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )]
+    string OutputResource
+);
+
+[static, Description ("Test resource state based on input configuration file." )]
+uint32 TestTargetResource(
+    [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document to be applied." )]
+    string InputResource,
+    [in, Description ("Flags passed to the provider. reserved for future use." )]
+    uint32 Flags,
+    [out, Description ("True if identical. False otherwise." )]
+    boolean Result,
+    [out, Description ("Context information the provider can use to optimize the set. This is optional." )]
+    uint64 ProviderContext
+);
+
+[static, Description ("Set resource state based on input configuration file." )]
+uint32 SetTargetResource(
+    [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"),
+    Description ("Configuration document to be applied." )]
+    string InputResource,
+    [in, Description ("Context information the provider can use to optimize the set from SetTargetResource. This is optional." )]
+    uint64 ProviderContext,
+    [in, Description ("Flags passed to the provider. reserved for future use." )]
+    uint32 Flags
+);
+```
+
+## Author desired state configuration resources
+
+To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement.
+
+1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
+2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool.
+3. Edit the required files and include the correct file names and class names.
+4. Invoke the provider generator tool to generate the provider's project files.
+5. Copy the generated files into the provider's project folder.
+6. Start the development process.
+
+## Example
+
+This example provides more details about each step to demonstrate how to implement a sample native resource named `MSFT_FileDirectoryConfiguration`.
+
+### Step 1: Create the resource schema MOF file
+
+Create a sample schema MOF file used to generate the initial source code for the `MSFT_FileDirectoryConfiguration` native resource. Place it in the project directory named `MSFT_FileDirectoryConfiguration`.
+
+```mof
+#pragma include ("cim_schema_2.26.0.mof")
+#pragma include ("OMI_BaseResource.mof")
+#pragma include ("MSFT_Credential.mof")
+
+[ClassVersion("1.0.0"), Description("The configuration provider for files and directories.")]
+class MSFT_FileDirectoryConfiguration : OMI_BaseResource
+{
+    [Key, Description("File name and path on target node to copy or create.")]
+    string DestinationPath;
+
+    [Write, Description("The name and path of the file to copy from.")]
+    string SourcePath;
+
+    [Write, Description("Contains a string that represents the contents of the file. To create an empty file, the string must be empty. The contents will be written and compared using UTF-8 character encoding.")]
+    string Contents;
+
+    [static, Description ("Get resource states based on input configuration file." )]
+    uint32 GetTargetResource(
+        [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that is to be applied." )]
+        string InputResource,
+
+        [in,Description ("Flags passed to the providers. Reserved for future use." )]
+        uint32 Flags,
+
+        [out, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("The current state of the specified configuration resources." )]
+        string OutputResource
+    );
+
+    [static, Description ("Test resource states based on input configuration file." )]
+    uint32 TestTargetResource(
+        [in, EmbeddedInstance("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )]
+        string InputResource,
+
+        [in, Description ("Flags passed to the providers. reserved for future use." )]
+        uint32 Flags,
+
+        [out, Description ("True if identical. False otherwise." )]
+        boolean Result,
+
+        [out, Description ("Context information that the provider can use to optimize the set, This is optional." )]
+        uint64 ProviderContext
+    );
+
+    [static, Description ("Set resource states based on input configuration file." )]
+    uint32 SetTargetResource(
+        [in, EmbeddedInstance ("MSFT_FileDirectoryConfiguration"), Description ("Configuration document that to be applied." )]
+        string InputResource,
+
+        [in, Description ("Context information that the provider can use to optimize the set from TestTargetResource, This is optional." )]
+        uint64 ProviderContext,
+
+        [in, Description ("Flags passed to the providers. reserved for future use." )]
+        uint32 Flags
+    );
+};
+```
+
+> [!NOTE]
+>
+> - The class name and DLL file name should be the same, as defined in the `Provider.DEF` file.
+> - The type qualifier `[Key]` on a property indicates that it uniquely identifies the resource instance. At least one `[Key]` property is required.
+> - The `[Required]` qualifier indicates that the property is required. In other words, a value must be specified in any configuration script that uses this resource.
+> - The `[write]` qualifier indicates that the property is optional when using the custom resource in a configuration script. The `[read]` qualifier indicates that a property can't be set by a configuration, and is for reporting purposes only.
+> - The `[Values]` qualifier restricts the values that can be assigned to the property. Define the list of allowed values in `[ValueMap]`. For more information, see [ValueMap and value qualifiers](/windows/win32/wmisdk/value-map).
+> - Any new MOF file should include the following lines at the top of the file:
+>
+>     ```mof
+>     #pragma include ("cim_schema_2.26.0.mof")
+>     #pragma include ("OMI_BaseResource.mof")
+>     #pragma include ("MSFT_Credential.mof")
+>     ```
+>
+> - Method names and its parameters should be same for every resource. Change `MSFT_FileDirectoryConfiguration` from EmbeddedInstance value to the class name of the desired provider. There should be only one provider per MOF file.
+
+### Step 2: Copy the schema MOF files
+
+Copy these required files and folders to the project directory you created in step 1:
+
+- `CIM-2.26.0`
+- `codegen.cmd`
+- `Convert-MofToProvider.exe`
+- `MSFT_Credential.mof`
+- `MSFT_DSCResource.mof`
+- `OMI_BaseResource.mof`
+- `OMI_Errors.mof`
+- `Provider.DEF`
+- `wmicodegen.dll`
+
+For more information on how to obtain the required files, see [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider).
+
+### Step 3: Edit the required files
+
+Modify the following files in the project directory:
+
+- `MSFT_FileDirectoryConfiguration.mof`: You created this file in step 1.
+- `Provider.DEF`: This file contains the DLL name, for example, `MSFT_FileDirectoryConfiguration.dll`.
+- `codegen.cmd`: This file contains the command to invoke `convert-moftoprovider.exe`.
+
+    ```cmd
+    "convert-moftoprovider.exe" ^
+       -MofFile MSFT_FileDirectoryConfiguration.mof ^
+                MSFT_DSCResource.mof ^
+                OMI_Errors.mof ^
+       -ClassList MSFT_FileDirectoryConfiguration ^
+       -IncludePath CIM-2.26.0 ^
+       -ExtraClass OMI_Error ^
+                   MSFT_DSCResource ^
+       -OutPath temp
+    ```
+
+### Step 4: Run the provider generator tool
+
+Run `codegen.cmd`, which runs the `convert-moftoprovider.exe` command. Alternatively, you can run the command directly.
+
+### Step 5: Copy the generated source files
+
+The command in step 3 specifies the `-OutPath` parameter, which in this example is a folder named `temp`. When you run the tool in step 4, it creates new files in this folder. Copy the generated files from this `temp` folder to the project directory. You created the project directory in step 1, which in this example is `MSFT_FileDirectoryConfiguration`.
+
+> [!NOTE]
+> Any time you update the schema MOF file, run the `codegen.cmd` script to regenerate the source files. Rerunning the generator tool overwrites any existing the source files. To prevent this behavior, this example uses a temporary folder. Minimize updates to the schema MOF file since the main implementation should be merged with the most recent auto-generated source files.
+
+### About the `MSFT_FileDirectoryConfiguration` resource
+
+After you run the provider generator tool, it creates several source and header files:
+
+- `MSFT_FileDirectoryConfiguration.c`
+- `MSFT_FileDirectoryConfiguration.h`
+- `module.c`
+- `schema.c`
+- `WMIAdapter.c`
+
+From this list, you only need to modify `MSFT_FileDirectoryConfiguration.c` and `MSFT_FileDirectoryConfiguration.h`. You can also change the extension for the source files from `.c` to `.cpp`, which is the case for this resource. The business logic for this resource is implemented in `MSFT_FileDirectoryConfigurationImp.cpp` and `MSFT_FileDirectoryConfigurationImp.h`. These new files are added to the `MSFT_FileDirectoryConfiguration` project directory after you run the provider generator tool.
+
+For a native desired state configuration resource, you have to implement three autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp`:
+
+- `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource`
+- `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource`
+- `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource`
+
+From these three functions, only `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` is required for a Get scenario. `MSFT_FileDirectoryConfiguration_Invoke_TestTargetResource` and `MSFT_FileDirectoryConfiguration_Invoke_SetTargetResource` are used when remediation is needed.
+
+There are several other autogenerated functions in `MSFT_FileDirectoryConfiguration.cpp` that don't need implementation for a native desired state configuration resource. You don't need to modify the following functions:
+
+- `MSFT_FileDirectoryConfiguration_Load`
+- `MSFT_FileDirectoryConfiguration_Unload`
+- `MSFT_FileDirectoryConfiguration_EnumerateInstances`
+- `MSFT_FileDirectoryConfiguration_GetInstance`
+- `MSFT_FileDirectoryConfiguration_CreateInstance`
+- `MSFT_FileDirectoryConfiguration_ModifyInstance`
+- `MSFT_FileDirectoryConfiguration_DeleteInstance`
+
+### About `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource`
+
+The `MSFT_FileDirectoryConfiguration_Invoke_GetTargetResource` function does the following steps to complete its task:
+
+1. Validate the input resource.
+1. Ensure the keys and required parameters are present.
+1. Create a resource instance that is used as the output of the Get method. This instance is of type `MSFT_FileDirectoryConfiguration`, which is derived from `MI_Instance`.
+1. Create the output resource instance from the modified resource instance and return it to the MI client by calling these functions:
+
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Construct`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_SetPtr_OutputResource`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Set_MIReturn`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Post`
+    - `MSFT_FileDirectoryConfiguration_GetTargetResource_Destruct`
+
+1. Clean up resources, for example, free allocated memory.
+
+## MI implementation references
+
+- [Introducing the management infrastructure (MI) API](/archive/blogs/wmi/introducing-new-management-infrastructure-mi-api)
+- [Implementing MI provider (1) - Overview](/archive/blogs/wmi/implementing-mi-provider-1-overview)
+- [Implementing MI provider (2) - Define schema](/archive/blogs/wmi/implementing-mi-provider-2-define-schema)
+- [Implementing MI provider (3) - Generate code](/archive/blogs/wmi/implementing-mi-provider-3-generate-code)
+- [Implementing MI provider (4) - Generate code (continue)](/archive/blogs/wmi/implementing-mi-provider-4-generate-code-continute)
+- [Implementing MI provider (5) - Implement](/archive/blogs/wmi/implementing-mi-provider-5-implement)
+- [Implementing MI provider (6) - Build, register, and debug](/archive/blogs/wmi/implementing-mi-provider-6-build-register-and-debug)
+- [MI interfaces](/previous-versions/windows/desktop/wmi_v2/mi-interfaces)
+- [MI datatypes](/previous-versions/windows/desktop/wmi_v2/mi-datatypes)
+- [MI structures and unions](/previous-versions/windows/desktop/wmi_v2/mi-structures-and-unions)
+- [MI_Result enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_result)
+- [MI_Type enumeration (mi.h)](/windows/win32/api/mi/ne-mi-mi_type)
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
new file mode 100644
index 0000000000..f655d1ae19
--- /dev/null
+++ b/windows/client-management/declared-configuration.md
@@ -0,0 +1,65 @@
+---
+title: Declared configuration protocol
+description: Learn more about using declared configuration protocol for desired state management of Windows devices.
+ms.date: 09/26/2023
+ms.topic: overview
+---
+
+# What is the declared configuration protocol
+
+The declared configuration protocol is based on a desired state device configuration model, though it still uses the underlying OMA-DM Syncml protocol. Through a dedicated OMA-DM server, it provides all the settings in a single batch through this protocol. The device's declared configuration client stack can reason over the settings to achieve the desired scenario in the most efficient and reliable manner.
+
+The declared configuration protocol requires that a device has a separate [OMA-DM enrollment](mdm-overview.md), which is dependent on the device being enrolled with the primary OMA-DM server. The desired state model is a different model from the current model where the server is responsible for the device's desire state. This dual enrollment is only allowed if the device is already enrolled into a primary MDM server. This other enrollment separates the desired state management functionality from the primary functionality. The declared configuration enrollment's first desired state management model feature is called [extensibility](declared-configuration-extensibility.md).
+
+:::image type="content" source="images/declared-configuration-model.png" alt-text="Diagram illustrating the declared configuration model.":::
+
+With the [Declared Configuration CSP](mdm/declaredconfiguration-csp.md), the OMA-DM server can provide the device with the complete collection of setting names and associated values based on a specified scenario. The declared configuration stack on the device is responsible for handling the configuration request, and maintaining its state including updates to the scenario.
+
+The benefit of the declared configuration desired state model is that it's efficient and accurate, especially since it's the responsibility of the declared configuration client to configure the device. The efficiency of declared configuration is because the client can asynchronously process batches of scenario settings, which free up the server resources to do other work. Thus the declared configuration protocol has low latency. As for configuration quality and accuracy, the declared configuration client stack has detailed knowledge of the configuration surface area of the device. This behavior includes the proper handling of continuous device updates that affect the configuration scenario.
+
+## Declared configuration enrollment
+
+[Mobile Device Enrollment Protocol version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) describes enrollment including discovery, which covers the primary and declared configuration enrollments. The device uses the following new [DMClient CSP](mdm/dmclient-csp.md) policies for declared configuration dual enrollment:
+
+- [LinkedEnrollment/Enroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenroll)
+- [LinkedEnrollment/Unenroll](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentunenroll)
+- [LinkedEnrollment/EnrollStatus](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentenrollstatus)
+- [LinkedEnrollment/LastError](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentlasterror)
+- [LinkedEnrollment/DiscoveryEndpoint](mdm/dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
+
+The following SyncML example sets **LinkedEnrolment/DiscoveryEndpoint** and triggers **LinkedEnrollment/Enroll**:
+
+```xml
+<SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Replace>
+           <CmdID>2</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/DiscoveryEndpoint</LocURI>
+                </Target>
+         <Data>https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0</Data>
+            </Item>
+        </Replace>
+        <Final/>
+    </SyncBody>
+</SyncML>
+
+<SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Exec>
+            <CmdID>2</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/Enroll</LocURI>
+                </Target>
+           </Item>
+        </Exec>
+        <Final/>
+    </SyncBody>
+</SyncML>
+```
+
+## Related content
+
+- [Declared Configuration extensibility](declared-configuration-extensibility.md)
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 9b12683d3e..00e2645545 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -100,24 +100,26 @@ When the server initiates disconnection, all undergoing sessions for the enrollm
 
 ## Unenrollment from Work Access settings page
 
-If the user is enrolled into MDM using an Azure Active Directory (Azure AD Join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device.
+If the user is enrolled into MDM using a Microsoft Entra ID (Microsoft Entra join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Microsoft Entra association to the device.
 
 You can only use the Work Access page to unenroll under the following conditions:
 
 - Enrollment was done using bulk enrollment.
 - Enrollment was created using the Work Access page.
 
-## Unenrollment from Azure Active Directory Join
+<a name='unenrollment-from-azure-active-directory-join'></a>
 
-When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
+## Unenrollment from Microsoft Entra join
+
+When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenerollment.](images/azure-ad-unenrollment.png)
 
-During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
+During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
 
-Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Azure AD, otherwise the device won't have any admin user after the operation.
+Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation.
 
-In mobile devices, remote unenrollment for Azure Active Directory Joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device.
+In mobile devices, remote unenrollment for Microsoft Entra joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device.
 
 ## IT admin-requested disconnection
 
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index 031f810c1b..e711afcc6a 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -12,29 +12,31 @@ ms.collection:
 
 You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
 
-The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
+The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
 
 **Requirements**:
 
 - The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
 - The enterprise has configured a Mobile Device Management (MDM) service.
-- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
+- The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
+- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
 - The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
-- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
+- The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
+
 
 > [!TIP]
 > For more information, see the following topics:
 >
-> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
-> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
-> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
+> - [How to configure automatic registration of Windows domain-joined devices with Microsoft Entra ID](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+> - [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
+> - [Microsoft Entra integration with MDM](./azure-active-directory-integration-with-mdm.md)
 
-The autoenrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
+The autoenrollment relies on the presence of an MDM service and the Microsoft Entra registration for the PC. Once the enterprise has registered its AD with Microsoft Entra ID, a Windows PC that is domain joined is automatically Microsoft Entra registered.
 
 > [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
 
-When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
 - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
 - Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
@@ -45,7 +47,7 @@ For this policy to work, you must verify that the MDM service provider allows Gr
 
 To configure autoenrollment using a group policy, use the following steps:
 
-1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
+1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Microsoft Entra credentials**.
 1. Create a Security Group for the PCs.
 1. Link the GPO.
 1. Filter using Security Groups.
@@ -85,7 +87,7 @@ This procedure is only for illustration purposes to show how the new autoenrollm
 
 1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
 
-1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
+1. Double-click **Enable automatic MDM enrollment using default Microsoft Entra credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
 
    :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
 
@@ -94,14 +96,14 @@ This procedure is only for illustration purposes to show how the new autoenrollm
    >
    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
 
-When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
 
 If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
 
 :::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
 
 > [!TIP]
-> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
+> You can avoid this behavior by using Conditional Access Policies in Microsoft Entra ID. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
 
 ## Verify enrollment
 
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 56d0b0809b..976b340e5a 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -200,10 +200,10 @@ If you purchased an app from the Store for Business and the app is specified for
 
 Here are the requirements for this scenario:
 
-- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
+- The app is assigned to a user Microsoft Entra identity in the Store for Business. You can assign directly in the Store for Business or through a management server.
 - The device requires connectivity to the Microsoft Store.
 - Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin.
-- The user must be signed in with their Azure AD identity.
+- The user must be signed in with their Microsoft Entra identity.
 
 Here's an example:
 
@@ -267,7 +267,7 @@ Here are the requirements for this scenario:
 - The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx`).
 - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
 - The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
-- The user must be logged in, but association with Azure AD identity isn't required.
+- The user must be logged in, but association with Microsoft Entra identity isn't required.
 
 > [!NOTE]
 > You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
@@ -384,7 +384,7 @@ Here are the requirements for this scenario:
 - The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx\`)
 - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
 - The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
-- The device doesn't need any Azure AD identity or domain membership.
+- The device doesn't need any Microsoft Entra identity or domain membership.
 - For nonStore app, your device must be unlocked.
 - For Store offline apps, the required licenses must be deployed before deploying the apps.
 
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index 21cae9d2ac..970b5917af 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -14,7 +14,7 @@ The expectations from an MDM are that it uses the same sync mechanism that it us
 
 If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
 
-- Onboard to Azure Active Directory
+- Onboard to Microsoft Entra ID
 - Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for MDM providers to manager eSIM profiles for enterprise use cases. However, Windows doesn't limit how ecosystem partners offer this service to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies.
 
   As an MDM provider, if you're looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties.
diff --git a/windows/client-management/images/declared-configuration-model.png b/windows/client-management/images/declared-configuration-model.png
new file mode 100644
index 0000000000..7708eedf57
Binary files /dev/null and b/windows/client-management/images/declared-configuration-model.png differ
diff --git a/windows/client-management/images/icons/group-policy.svg b/windows/client-management/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/client-management/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/client-management/images/icons/intune.svg b/windows/client-management/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/client-management/images/icons/intune.svg
@@ -0,0 +1,24 @@
+<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
+  <defs>
+    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0078d4" />
+      <stop offset="0.82" stop-color="#5ea0ef" />
+    </linearGradient>
+    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#1490df" />
+      <stop offset="0.98" stop-color="#1f56a3" />
+    </linearGradient>
+    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#d2ebff" />
+      <stop offset="1" stop-color="#f0fffd" />
+    </linearGradient>
+  </defs>
+  <title>Icon-intune-329</title>
+  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
+  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
+  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
+  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
+  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
+  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
+  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
+</svg>
\ No newline at end of file
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index 2927f3eefe..ae35a82630 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -1,29 +1,31 @@
 ---
-title: Support for mobile application management on Windows
-description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
+title: Support for Windows Information Protection (WIP) on Windows
+description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
 ms.topic: article
 ms.date: 08/10/2023
 ---
 
-# Support for mobile application management on Windows
+# Support for Windows Information Protection (WIP) on Windows
 
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
+Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
 
 [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
 
-## Integration with Azure AD
+<a name='integration-with-azure-ad'></a>
 
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+## Integration with Microsoft Entra ID
 
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices are enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device is enrolled to MAM. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
+WIP is integrated with Microsoft Entra identity service. The WIP service supports Microsoft Entra integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Microsoft Entra ID is similar to mobile device management (MDM) integration. See [Microsoft Entra integration with MDM](azure-active-directory-integration-with-mdm.md).
 
-On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
+WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Microsoft Entra account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Microsoft Entra ID, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. A Microsoft Entra join, and enrollment to MDM, should be used to manage corporate devices.
+
+On personal devices, users can add a Microsoft Entra account as a secondary account to the device while keeping their personal account as primary. Users can add a Microsoft Entra account to the device from a supported Microsoft Entra integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add a Microsoft Entra account from **Settings > Accounts > Access work or school**.
 
 Regular non administrator users can enroll to MAM.
 
-## Integration with Windows Information Protection
+## Understand Windows Information Protection
 
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
+WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
 
 To make applications WIP-aware, app developers need to include the following data in the app resource file.
 
@@ -35,26 +37,28 @@ MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID
   END
 ```
 
-## Configuring an Azure AD tenant for MAM enrollment
+<a name='configuring-an-azure-ad-tenant-for-mam-enrollment'></a>
 
-MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration.
+## Configuring a Microsoft Entra tenant for MAM enrollment
+
+MAM enrollment requires integration with Microsoft Entra ID. The MAM service provider needs to publish the Management MDM app to the Microsoft Entra app gallery. The same cloud-based Management MDM app in Microsoft Entra ID supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration.
 
 :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
 
-MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM.
+MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Microsoft Entra Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Microsoft Entra ID: one for MAM and one for MDM.
 
 > [!NOTE]
-> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
+> If the MDM service in an organization isn't integrated with Microsoft Entra ID and uses auto-discovery, only one Management app for MAM needs to be configured.
 
 ## MAM enrollment
 
-MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
+MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Microsoft Entra ID [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
 
 These are the protocol changes for MAM enrollment:
 
 - MDM discovery isn't supported.
 - APPAUTH node in [DMAcc CSP](mdm/dmacc-csp.md) is optional.
-- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication.
+- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use a Microsoft Entra token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication.
 
 Here's an example provisioning XML for MAM enrollment.
 
@@ -74,7 +78,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
 
 ## Supported CSPs
 
-MAM on Windows supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
+WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
 
 - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
 - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
@@ -104,7 +108,7 @@ We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies f
 
 ## Policy sync
 
-MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to authenticate to the service for policy syncs.
+MAM policy syncs are modeled after MDM. The MAM client uses a Microsoft Entra token to authenticate to the service for policy syncs.
 
 ## Change MAM enrollment to MDM
 
@@ -121,4 +125,4 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f
 - EDP CSP Enterprise ID is the same for both MAM and MDM.
 - EDP CSP RevokeOnMDMHandoff is set to false.
 
-If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected.
+If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Microsoft Entra account won't be affected.
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 9501d46c0a..40f4cb654f 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -12,10 +12,10 @@ metadata:
   ms.collection:
     - highpri
     - tier1
-  author: aczechowski
-  ms.author: aaroncz
+  author: vinaypamnani-msft
+  ms.author: vinpa
   manager: aaroncz
-  ms.date: 04/13/2023
+  ms.date: 09/26/2023
   localization_priority: medium
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -32,33 +32,28 @@ landingContent:
             url: mdm-overview.md
       - linkListType: concept
         links:
-          - text: MDM for device updates
-            url: device-update-management.md
-          - text: Enterprise settings, policies, and app management
+          - text: Manage settings
             url: windows-mdm-enterprise-settings.md
-          - text: Windows Tools/Administrative Tools
-            url: client-tools/administrative-tools-in-windows.md
-          - text: Create mandatory user profiles
-            url: client-tools/mandatory-user-profile.md
+          - text: Manage updates
+            url: device-update-management.md
+          - text: Manage apps
+            url: enterprise-app-management.md
+          - text: Manage Copilot in Windows
+            url: manage-windows-copilot.md
 
-  - title: Device enrollment
+  - title: Copilot in Windows
     linkLists:
-      - linkListType: overview
-        links:
-          - text: Mobile device enrollment
-            url: mobile-device-enrollment.md
-      - linkListType: concept
-        links:
-          - text: Enroll Windows devices
-            url: mdm-enrollment-of-windows-devices.md
-          - text: Automatic enrollment using Azure AD
-            url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
-          - text: Automatic enrollment using group policy
-            url: enroll-a-windows-10-device-automatically-using-group-policy.md
-          - text: Bulk enrollment
-            url: bulk-enrollment-using-windows-provisioning-tool.md
+      - links:
+          - text: Manage Copilot in Windows
+            url: manage-windows-copilot.md
+        linkListType: how-to-guide
+      - links:
+          - text: Welcome overview
+            url: https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0
+          - text: Your data and privacy
+            url: https://support.microsoft.com/windows/privacy-in-windows-copilot-3e265e82-fc76-4d0a-afc0-4a0de528b73a
+        linkListType: overview
 
-  # Card (optional)
   - title: Configuration service provider reference
     linkLists:
       - linkListType: overview
@@ -82,8 +77,36 @@ landingContent:
           - text: Policy CSP - Update
             url: mdm/policy-csp-update.md
 
+  - title: Device enrollment
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: Mobile device enrollment
+            url: mobile-device-enrollment.md
+      - linkListType: concept
+        links:
+          - text: Enroll Windows devices
+            url: mdm-enrollment-of-windows-devices.md
+          - text: Automatic enrollment using Microsoft Entra ID
+            url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+          - text: Automatic enrollment using group policy
+            url: enroll-a-windows-10-device-automatically-using-group-policy.md
+          - text: Bulk enrollment
+            url: bulk-enrollment-using-windows-provisioning-tool.md
+
+  - title: Client management tools
+    linkLists:
+      - linkListType: learn
+        links:
+          - text: Windows Tools/Administrative Tools
+            url: client-tools/administrative-tools-in-windows.md
+          - text: Use Quick assist
+            url: client-tools/quick-assist.md
+          - text: Connect to Microsoft Entra devices
+            url: client-tools/connect-to-remote-aadj-pc.md
+          - text: Create mandatory user profiles
+            url: client-tools/mandatory-user-profile.md
 
-  # Card (optional)
   - title: Troubleshoot Windows clients
     linkLists:
       - linkListType: how-to-guide
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 5b432d5e1d..7129573f55 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -12,13 +12,6 @@ Use of personal devices for work, and employees working outside the office, may
 
 Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster.
 
-This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
-
-> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
-
-> [!NOTE]
-> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
-
 This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle:
 
 - [Deployment and Provisioning](#deployment-and-provisioning)
@@ -32,7 +25,7 @@ Windows offers a range of management options, as shown in the following diagram:
 
 :::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
 
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft 365.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Microsoft Entra ID, Azure Information Protection, and Microsoft 365.
 
 ## Deployment and provisioning
 
@@ -48,21 +41,21 @@ You have multiple options for [upgrading to Windows 10 and Windows 11](/windows/
 
 ## Identity and authentication
 
-You can use Windows and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows and services like [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
 
 You can envision user and device management as falling into these two categories:
 
 - **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices:
 
-  - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
+  - For corporate devices, they can set up corporate access with [Microsoft Entra join](/azure/active-directory/devices/overview). When you offer them Microsoft Entra join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
 
-    Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+    Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
 
   - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
 
 - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
 
-  With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
+  With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Microsoft Entra ID](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Microsoft Entra ID. This registration provides:
 
   - Single sign-on to cloud and on-premises resources from everywhere
   - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
@@ -72,7 +65,7 @@ You can envision user and device management as falling into these two categories
 
   Domain joined PCs and tablets can continue to be managed with [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
 
-As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
+As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Microsoft Entra ID.
 
 :::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
 
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
new file mode 100644
index 0000000000..bc4adbca9d
--- /dev/null
+++ b/windows/client-management/manage-windows-copilot.md
@@ -0,0 +1,31 @@
+---
+title: Manage Copilot in Windows
+description: Learn how to manage Copilot in Windows using MDM and group policy.
+ms.topic: article
+ms.date: 10/16/2023
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Manage Copilot in Windows
+
+Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications.
+
+This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
+
+## Turn off Copilot in Windows
+
+This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
+
+|                  | Setting                                                                                                 |
+|------------------|---------------------------------------------------------------------------------------------------------|
+| **CSP**          | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
+| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
+
+
+
+## Related articles
+
+- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0)
+
+- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a)
diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md
index 08c2a6ed6b..c3dd757bb5 100644
--- a/windows/client-management/mdm-diagnose-enrollment.md
+++ b/windows/client-management/mdm-diagnose-enrollment.md
@@ -17,7 +17,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
    :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
 
-1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Microsoft Entra ID and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
     ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
 
@@ -28,7 +28,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
 1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
 
-1. Autoenrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
+1. Autoenrollment into Intune via Group Policy is valid only for devices that are Microsoft Entra hybrid joined. This condition means that the device must be joined into both local Active Directory and Microsoft Entra ID. To verify that the device is Microsoft Entra hybrid joined, run `dsregcmd /status` from the command line.
 
     You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
 
@@ -36,9 +36,9 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
     Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
 
-    ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png)
+    ![Auto-enrollment Microsoft Entra prt verification.](images/auto-enrollment-azureadprt-verification.png)
 
-    This information can also be found on the Azure AD device list.
+    This information can also be found on the Microsoft Entra device list.
 
 1. Verify that the MDM discovery URL during autoenrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`.
 
@@ -48,7 +48,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif
 
    :::image type="content" alt-text="Screenshot of Mobility setting MDM Intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
 
-1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully.
+1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Microsoft Entra credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully.
 
 1. Verify that Microsoft Intune allows enrollment of Windows devices.
 
@@ -79,14 +79,14 @@ If you can't find event ID 75 in the logs, it indicates that the autoenrollment
 
 - The autoenrollment didn't trigger at all. In this case, you won't find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described here:
 
-   The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
+   The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Microsoft Entra credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
 
    :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
 
    > [!NOTE]
    > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
 
-   This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107.
+   This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID is triggered by event ID 107.
 
    :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
 
@@ -96,7 +96,7 @@ If you can't find event ID 75 in the logs, it indicates that the autoenrollment
 
    The task scheduler log displays event ID 102 (task completed) regardless of the autoenrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the autoenrollment task is triggered or not. It doesn't indicate the success or failure of autoenrollment.
 
-   If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
+   If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
    One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
 
    :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index 9c772124fe..ef09eea68f 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -17,16 +17,18 @@ In today's cloud-first world, enterprise IT departments increasingly want to let
 
 ## Connect corporate-owned Windows devices
 
-You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
+You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to a Microsoft Entra domain. Windows doesn't require a personal Microsoft account on devices joined to Microsoft Entra ID or an on-premises Active Directory domain.
 
-![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png)
+![active directory Microsoft Entra sign-in.](images/unifiedenrollment-rs1-1.png)
 
 > [!NOTE]
 > For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md).
 
-### Connect your device to an Azure AD domain (join Azure AD)
+<a name='connect-your-device-to-an-azure-ad-domain-join-azure-ad'></a>
 
-All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app.
+### Connect your device to a Microsoft Entra domain (join Microsoft Entra ID)
+
+All Windows devices can be connected to a Microsoft Entra domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to a Microsoft Entra domain using the Settings app.
 
 #### Out-of-box-experience
 
@@ -36,19 +38,19 @@ To join a domain:
 
     ![oobe - local account creation](images/unifiedenrollment-rs1-11.png)
 
-1. Select **Join Azure AD**, and then select **Next.**
+1. Select **Join Microsoft Entra ID**, and then select **Next.**
 
-    ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png)
+    ![choose the domain or Microsoft Entra ID](images/unifiedenrollment-rs1-12.png)
 
-1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services.
+1. Type in your Microsoft Entra username. This username is the email address you use to log into Microsoft Office 365 and similar services.
 
     If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you're able to enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain.
+    If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Microsoft Entra domain.
 
-    ![azure ad signin.](images/unifiedenrollment-rs1-13.png)
+    ![Microsoft Entra sign-in during OOBE.](images/unifiedenrollment-rs1-13.png)
 
 #### Use the Settings app
 
@@ -70,36 +72,38 @@ To create a local account and connect the device:
 
     ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png)
 
-1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**.
+1. Under **Alternate Actions**, select **Join this device to Microsoft Entra ID**.
 
-    ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
+    ![option to join work or school account to Microsoft Entra ID](images/unifiedenrollment-rs1-18.png)
 
-1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
+1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services.
 
-    ![azure ad sign in.](images/unifiedenrollment-rs1-19.png)
+    ![Microsoft Entra sign-in using Settings app.](images/unifiedenrollment-rs1-19.png)
 
     If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM.
+    If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM.
 
-    After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username.
+    After you reach the end of the flow, your device should be connected to your organization's Microsoft Entra domain. You may now sign out of your current account and sign in using your Microsoft Entra username.
 
     ![corporate sign in screen](images/unifiedenrollment-rs1-20.png)
 
-#### Help with connecting to an Azure AD domain
+<a name='help-with-connecting-to-an-azure-ad-domain'></a>
 
-There are a few instances where your device can't be connected to an Azure AD domain.
+#### Help with connecting to a Microsoft Entra domain
+
+There are a few instances where your device can't be connected to a Microsoft Entra domain.
 
 | Connection issue | Description |
 |--|--|
-| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. |
-| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. |
-| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. |
-| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You must switch to an administrator account to continue. |
-| Your device is already managed by MDM. | The connect to Azure AD flow attempts to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
-| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to an Azure AD domain. You must upgrade to Pro, Enterprise, or Education edition to continue. |
+| Your device is connected to a Microsoft Entra domain. | Your device can only be connected to a single Microsoft Entra domain at a time. |
+| Your device is already connected to an Active Directory domain. | Your device can either be connected to a Microsoft Entra domain or an Active Directory domain. You can't connect to both simultaneously. |
+| Your device already has a user connected to a work account. | You can either connect to a Microsoft Entra domain or connect to a work or school account. You can't connect to both simultaneously. |
+| You're logged in as a standard user. | Your device can only be connected to a Microsoft Entra domain if you're logged in as an administrative user. You must switch to an administrator account to continue. |
+| Your device is already managed by MDM. | The connect to Microsoft Entra ID flow attempts to enroll your device into MDM if your Microsoft Entra tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Microsoft Entra ID in this case. |
+| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to a Microsoft Entra domain. You must upgrade to Pro, Enterprise, or Education edition to continue. |
 
 ## Connect personally owned devices
 
@@ -107,7 +111,9 @@ Personally owned devices, also known as bring your own device (BYOD), can be con
 
 All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
 
-### Register device in Azure AD and enroll in MDM
+<a name='register-device-in-azure-ad-and-enroll-in-mdm'></a>
+
+### Register device in Microsoft Entra ID and enroll in MDM
 
 To create a local account and connect the device:
 
@@ -123,15 +129,15 @@ To create a local account and connect the device:
 
     ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png)
 
-1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
+1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services.
 
-    ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png)
+    ![sync work or school account to Azure AD.](images/unifiedenrollment-rs1-25-b.png)
 
 1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only).
+    If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only).
 
     You can see the status page that shows the progress of your device being set up.
 
@@ -147,8 +153,8 @@ There are a few instances where your device may not be able to connect to work.
 
 | Error Message | Description |
 |--|--|
-| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. |
-| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. |
+| Your device is already connected to your organization's cloud. | Your device is already connected to either Microsoft Entra ID, a work or school account, or an AD domain. |
+| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Microsoft Entra tenant. |
 | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. |
 | You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
 | We couldn't autodiscover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
@@ -195,7 +201,7 @@ The deep link used for connecting your device to work uses the following format.
 
 | Parameter | Description | Supported Value for Windows |
 |--|--|--|
-| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. |
+| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Microsoft Entra joined. |
 | username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string |
 | servername | Specifies the MDM server URL that is used to enroll the device. | string |
 | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string |
@@ -248,7 +254,7 @@ To manage your work or school connections, select **Settings** > **Accounts** >
 
 The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios:
 
-- Connecting your device to an Azure AD domain that has autoenroll into MDM configured.
+- Connecting your device to a Microsoft Entra domain that has autoenroll into MDM configured.
 - Connecting your device to a work or school account that has autoenroll into MDM configured.
 - Connecting your device to MDM.
 
@@ -263,7 +269,7 @@ Selecting the **Info** button shows a list of policies and line-of-business apps
 The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button removes the connection from the device. There are a few exceptions to this functionality:
 
 - Devices that enforce the AllowManualMDMUnenrollment policy don't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
-- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device.
+- On mobile devices, you can't disconnect from Microsoft Entra ID. These connections can only be removed by wiping the device.
 
 > [!WARNING]
 > Disconnecting might result in the loss of data on the device.
diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md
index 7676911fc4..3b715665e0 100644
--- a/windows/client-management/mdm-known-issues.md
+++ b/windows/client-management/mdm-known-issues.md
@@ -33,7 +33,7 @@ When the Windows device is configured to use a proxy that requires authenticatio
 
 Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server.
 
-Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device.
+Remote server unenrollment is disabled for mobile devices enrolled via Microsoft Entra join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Microsoft Entra joined is by remotely wiping the device.
 
 ## Certificates causing issues with Wi-Fi and VPN
 
@@ -222,9 +222,11 @@ Alternatively you can use the following procedure to create an EAP Configuration
 
 After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
 
-## User provisioning failure in Azure Active Directory-joined devices
+<a name='user-provisioning-failure-in-azure-active-directory-joined-devices'></a>
 
-For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
+## User provisioning failure in Microsoft Entra joined devices
+
+For Microsoft Entra joined devices, provisioning `.\User` resources fails when the user isn't logged in as a Microsoft Entra user. If you attempt to join Microsoft Entra ID from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Microsoft Entra credentials to get your organizational configuration from your MDM server. This behavior is by design.
 
 ## Requirements to note for VPN certificates also used for Kerberos Authentication
 
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index ceca839aaa..4777c1d28c 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -31,7 +31,7 @@ Microsoft provides MDM security baselines that function like the Microsoft group
 
 The MDM security baseline includes policies that cover the following areas:
 
-- Microsoft inbox security technologies (not deprecated) such as BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus, and Firewall
+- Microsoft inbox security technologies (not deprecated) such as **BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus,** and **Firewall**
 - Restricting remote access to devices
 - Setting credential requirements for passwords and PINs
 - Restricting use of legacy technology
@@ -56,16 +56,18 @@ For information about the MDM policies defined in the Intune security baseline,
 
 No. Only one MDM is allowed.
 
-### How do I set the maximum number of Azure Active Directory-joined devices per user?
+<a name='how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user'></a>
+
+### How do I set the maximum number of Microsoft Entra joined devices per user?
 
 1. Sign in to the portal as tenant admin: <https://portal.azure.com>.
-1. Navigate to **Azure AD**, then **Devices**, and then select **Device Settings**.
+1. Navigate to **Microsoft Entra ID**, then **Devices**, and then select **Device Settings**.
 1. Change the number under **Maximum number of devices per user**.
 
 ### What is dmwappushsvc?
 
 | Entry | Description |
 | --------------- | -------------------- |
-| What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
-| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. |
-| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service causes your management to fail. |
+| What is dmwappushsvc? | It's a Windows service that ships in the Windows operating system as a part of the Windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and is involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. |
+| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and  is required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service causes your management to fail. |
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 9863ad1ccf..4fdc019a91 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -1,81 +1,304 @@
 ---
 title: AccountManagement CSP
-description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service.
+description: Learn more about the AccountManagement CSP.
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: reference
+ms.date: 08/29/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/23/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- AccountManagement-Begin -->
 # AccountManagement CSP
 
-AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
+<!-- AccountManagement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition.
 
 > [!NOTE]
 > The AccountManagement CSP is only supported in Windows Holographic for Business edition.
+<!-- AccountManagement-Editable-End -->
 
-The following syntax shows the AccountManagement configuration service provider in tree format.
+<!-- AccountManagement-Tree-Begin -->
+The following list shows the AccountManagement configuration service provider nodes:
 
-```console
-./Vendor/MSFT
-AccountManagement
-----UserProfileManagement
---------EnableProfileManager
---------DeletionPolicy
---------StorageCapacityStartDeletion
---------StorageCapacityStopDeletion
---------ProfileInactivityThreshold
+- ./Device/Vendor/MSFT/AccountManagement
+  - [UserProfileManagement](#userprofilemanagement)
+    - [DeletionPolicy](#userprofilemanagementdeletionpolicy)
+    - [EnableProfileManager](#userprofilemanagementenableprofilemanager)
+    - [ProfileInactivityThreshold](#userprofilemanagementprofileinactivitythreshold)
+    - [StorageCapacityStartDeletion](#userprofilemanagementstoragecapacitystartdeletion)
+    - [StorageCapacityStopDeletion](#userprofilemanagementstoragecapacitystopdeletion)
+<!-- AccountManagement-Tree-End -->
+
+<!-- Device-UserProfileManagement-Begin -->
+## UserProfileManagement
+
+<!-- Device-UserProfileManagement-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-UserProfileManagement-Applicability-End -->
+
+<!-- Device-UserProfileManagement-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/AccountManagement/UserProfileManagement
 ```
+<!-- Device-UserProfileManagement-OmaUri-End -->
 
-<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
-Root node for the AccountManagement configuration service provider.
+<!-- Device-UserProfileManagement-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-UserProfileManagement-Description-End -->
 
-<a href="" id="accountmanagement-userprofilemanagemen-enableprofilemanager"></a>**UserProfileManagement**
-Interior node.
+<!-- Device-UserProfileManagement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-Editable-End -->
 
-<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
-Enable profile lifetime management for shared or communal device scenarios. Default value is false.
+<!-- Device-UserProfileManagement-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operations are Add, Get, Replace, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-UserProfileManagement-DFProperties-End -->
 
-Value type is bool.
+<!-- Device-UserProfileManagement-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-Examples-End -->
 
-<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
-Configures when profiles will be deleted. Default value is 1.
+<!-- Device-UserProfileManagement-End -->
 
-Valid values:
+<!-- Device-UserProfileManagement-DeletionPolicy-Begin -->
+### UserProfileManagement/DeletionPolicy
 
--  0 - delete immediately when the device returns to a state with no currently active users
--  1 - delete at storage capacity threshold
--  2 - delete at both storage capacity threshold and profile inactivity threshold
+<!-- Device-UserProfileManagement-DeletionPolicy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-UserProfileManagement-DeletionPolicy-Applicability-End -->
 
-Supported operations are Add, Get, Replace, and Delete.
+<!-- Device-UserProfileManagement-DeletionPolicy-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/DeletionPolicy
+```
+<!-- Device-UserProfileManagement-DeletionPolicy-OmaUri-End -->
 
-Value type is integer.
+<!-- Device-UserProfileManagement-DeletionPolicy-Description-Begin -->
+<!-- Description-Source-DDF -->
+Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).
+<!-- Device-UserProfileManagement-DeletionPolicy-Description-End -->
 
-<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
-Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
+<!-- Device-UserProfileManagement-DeletionPolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-DeletionPolicy-Editable-End -->
 
-Supported operations are Add, Get, Replace, and Delete.
+<!-- Device-UserProfileManagement-DeletionPolicy-DFProperties-Begin -->
+**Description framework properties**:
 
-Value type is integer.
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- Device-UserProfileManagement-DeletionPolicy-DFProperties-End -->
 
-<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
-Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
+<!-- Device-UserProfileManagement-DeletionPolicy-AllowedValues-Begin -->
+**Allowed values**:
 
-Supported operations are Add, Get, Replace, and Delete.
+| Value | Description |
+|:--|:--|
+| 0 | Delete immediately upon device returning to a state with no currently active users). |
+| 1 (Default) | Delete at storage capacity threshold. |
+| 2 | Delete at both storage capacity threshold and profile inactivity threshold. |
+<!-- Device-UserProfileManagement-DeletionPolicy-AllowedValues-End -->
 
-Value type is integer.
+<!-- Device-UserProfileManagement-DeletionPolicy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-DeletionPolicy-Examples-End -->
 
-<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
-Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
+<!-- Device-UserProfileManagement-DeletionPolicy-End -->
 
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+<!-- Device-UserProfileManagement-EnableProfileManager-Begin -->
+### UserProfileManagement/EnableProfileManager
 
-## Related topics
+<!-- Device-UserProfileManagement-EnableProfileManager-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-UserProfileManagement-EnableProfileManager-Applicability-End -->
 
-[Configuration service provider reference](index.yml)
+<!-- Device-UserProfileManagement-EnableProfileManager-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/EnableProfileManager
+```
+<!-- Device-UserProfileManagement-EnableProfileManager-OmaUri-End -->
+
+<!-- Device-UserProfileManagement-EnableProfileManager-Description-Begin -->
+<!-- Description-Source-DDF -->
+Enable profile lifetime mangement for shared or communal device scenarios.
+<!-- Device-UserProfileManagement-EnableProfileManager-Description-End -->
+
+<!-- Device-UserProfileManagement-EnableProfileManager-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-EnableProfileManager-Editable-End -->
+
+<!-- Device-UserProfileManagement-EnableProfileManager-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | false |
+<!-- Device-UserProfileManagement-EnableProfileManager-DFProperties-End -->
+
+<!-- Device-UserProfileManagement-EnableProfileManager-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | False. |
+| true | True. |
+<!-- Device-UserProfileManagement-EnableProfileManager-AllowedValues-End -->
+
+<!-- Device-UserProfileManagement-EnableProfileManager-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-EnableProfileManager-Examples-End -->
+
+<!-- Device-UserProfileManagement-EnableProfileManager-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Begin -->
+### UserProfileManagement/ProfileInactivityThreshold
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Applicability-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/ProfileInactivityThreshold
+```
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-OmaUri-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Description-Begin -->
+<!-- Description-Source-DDF -->
+Start deleting profiles when they haven't been logged-on during the specified period, given as number of days.
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Description-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Editable-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 30 |
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-DFProperties-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-Examples-End -->
+
+<!-- Device-UserProfileManagement-ProfileInactivityThreshold-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Begin -->
+### UserProfileManagement/StorageCapacityStartDeletion
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Applicability-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/StorageCapacityStartDeletion
+```
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-OmaUri-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Description-Begin -->
+<!-- Description-Source-DDF -->
+Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Description-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Editable-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 25 |
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-DFProperties-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-Examples-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStartDeletion-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Begin -->
+### UserProfileManagement/StorageCapacityStopDeletion
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Applicability-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/AccountManagement/UserProfileManagement/StorageCapacityStopDeletion
+```
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-OmaUri-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Description-Begin -->
+<!-- Description-Source-DDF -->
+Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Description-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Editable-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 50 |
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-DFProperties-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-Examples-End -->
+
+<!-- Device-UserProfileManagement-StorageCapacityStopDeletion-End -->
+
+<!-- AccountManagement-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- AccountManagement-CspMoreInfo-End -->
+
+<!-- AccountManagement-End -->
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index c6ec83beff..7589b07ab4 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -1,203 +1,232 @@
 ---
 title: AccountManagement DDF file
-description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings.
+description: View the XML file containing the device description framework (DDF) for the AccountManagement configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: reference
+ms.date: 08/29/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/23/2018
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
 # AccountManagement DDF file
 
-This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
-
-The XML below is for Windows 10, version 1803.
+The following XML file contains the device description framework (DDF) for the AccountManagement configuration service provider.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
-  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
-  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
   <VerDTD>1.2</VerDTD>
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>AccountManagement</NodeName>
+    <Path>./Device/Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <MIME />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>10.0.19041</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x88;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
+    <Node>
+      <NodeName>UserProfileManagement</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
       <Node>
-        <NodeName>AccountManagement</NodeName>
-        <Path>./Device/Vendor/MSFT</Path>
+        <NodeName>EnableProfileManager</NodeName>
         <DFProperties>
           <AccessType>
+            <Add />
+            <Delete />
             <Get />
+            <Replace />
           </AccessType>
+          <DefaultValue>false</DefaultValue>
+          <Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
           <DFFormat>
-            <node />
+            <bool />
           </DFFormat>
           <Occurrence>
-            <One />
+            <ZeroOrOne />
           </Occurrence>
           <Scope>
-            <Permanent />
+            <Dynamic />
           </Scope>
+          <DFTitle>Enable profile manager</DFTitle>
           <DFType>
-            <MIME>com.microsoft/1.0/MDM/AccountManagement</MIME>
+            <MIME />
+          </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>false</MSFT:Value>
+              <MSFT:ValueDescription>False</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>true</MSFT:Value>
+              <MSFT:ValueDescription>True</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DeletionPolicy</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>1</DefaultValue>
+          <Description>Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Profile deletion policy</DFTitle>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Delete immediately upon device returning to a state with no currently active users)</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Delete at storage capacity threshold</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>2</MSFT:Value>
+              <MSFT:ValueDescription>Delete at both storage capacity threshold and profile inactivity threshold</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>StorageCapacityStartDeletion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>25</DefaultValue>
+          <Description>Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Storage capacity threshold to start profile deletion</DFTitle>
+          <DFType>
+            <MIME />
           </DFType>
         </DFProperties>
-        <Node>
-          <NodeName>UserProfileManagement</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>EnableProfileManager</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Add />
-                <Delete />
-                <Replace />
-              </AccessType>
-              <DefaultValue>false</DefaultValue>
-              <Description>Enable profile lifetime management for shared or communal device scenarios.</Description>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFTitle>Enable profile manager</DFTitle>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>DeletionPolicy</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Add />
-                <Delete />
-                <Replace />
-              </AccessType>
-              <DefaultValue>1</DefaultValue>
-              <Description>Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFTitle>Profile deletion policy</DFTitle>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>StorageCapacityStartDeletion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Add />
-                <Delete />
-                <Replace />
-              </AccessType>
-              <DefaultValue>25</DefaultValue>
-              <Description>Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFTitle>Storage capacity threshold to start profile deletion</DFTitle>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>StorageCapacityStopDeletion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Add />
-                <Delete />
-                <Replace />
-              </AccessType>
-              <DefaultValue>50</DefaultValue>
-              <Description>Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFTitle>Storage capacity threshold to stop profile deletion</DFTitle>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>ProfileInactivityThreshold</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Add />
-                <Delete />
-                <Replace />
-              </AccessType>
-              <DefaultValue>30</DefaultValue>
-              <Description>Start deleting profiles when they have not been logged on during the specified period, given as number of days.</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFTitle>Profile inactive threshold</DFTitle>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-        </Node>
       </Node>
+      <Node>
+        <NodeName>StorageCapacityStopDeletion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>50</DefaultValue>
+          <Description>Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Storage capacity threshold to stop profile deletion</DFTitle>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>ProfileInactivityThreshold</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>30</DefaultValue>
+          <Description>Start deleting profiles when they have not been logged on during the specified period, given as number of days.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>Profile inactive threshold</DFTitle>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+    </Node>
+  </Node>
 </MgmtTree>
 ```
 
-## Related topics
+## Related articles
 
-[AccountManagement configuration service provider](accountmanagement-csp.md)
\ No newline at end of file
+[AccountManagement configuration service provider reference](accountmanagement-csp.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 9e3a505d95..86ff222dcc 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -46,7 +46,7 @@ Root node.
 Interior node for the account domain information.
 
 <a href="" id="domain-computername"></a>**Domain/ComputerName**
-This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
+This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Microsoft Entra ID and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
 
 Available naming macros:
 
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index eea5bba65f..448ed58929 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -236,7 +236,7 @@ The expected values for this policy are:
 
 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
 
-0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Azure Active Directory joined devices.
+0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices.
 
 Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@@ -244,12 +244,12 @@ Windows will attempt to silently enable BitLocker for value 0.
 <!-- Device-AllowWarningForOtherDiskEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Microsoft Entra account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
 >
 > The endpoint for a fixed data drive's backup is chosen in the following order:
 >
 > 1. The user's Windows Server Active Directory Domain Services account.
-> 2. The user's Azure Active Directory account.
+> 2. The user's Microsoft Entra account.
 > 3. The user's personal OneDrive (MDM/MAM only).
 >
 > Encryption will wait until one of these three locations backs up successfully.
@@ -270,7 +270,7 @@ Windows will attempt to silently enable BitLocker for value 0.
 
 | Value | Description |
 |:--|:--|
-| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. |
+| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. |
 | 1 (Default) | Warning prompt allowed. |
 <!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
 
@@ -312,9 +312,9 @@ Windows will attempt to silently enable BitLocker for value 0.
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and Hybrid domain joined devices.
 
-When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+When not configured, Rotation is turned on by default for Microsoft Entra-only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
 
 For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
 
@@ -322,8 +322,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
 
 Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 
-1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
-2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices.
+1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
+2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and Hybrid devices.
 <!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@@ -346,8 +346,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Refresh off (default). |
-| 1 | Refresh on for Azure AD-joined devices. |
-| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. |
+| 1 | Refresh on for Microsoft Entra joined devices. |
+| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. |
 <!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
 
 <!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@@ -1269,7 +1269,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
 
 <!-- Device-RotateRecoveryPasswords-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
+Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device.
 
 This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
 
@@ -1401,12 +1401,14 @@ This value represents a bitmask with each bit and the corresponding error code d
 | 8 |Recovery key backup failed.|
 | 9 |A fixed drive is unprotected.|
 | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
-| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
+| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Microsoft Entra ID, the AllowStandardUserEncryption policy must be set to 1.|
 | 12 |Windows Recovery Environment (WinRE) isn't configured.|
 | 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
 | 14 |The TPM isn't ready for BitLocker.|
 | 15 |The network isn't available, which is required for recovery key backup. |
-| 16-31 |For future use.|
+| 16 |The encryption type of the OS volume for full disk versus used space only encryption doesn't match the BitLocker policy.|
+| 17 |The encryption type of the fixed drive for full disk versus used space only encryption doesn't match the BitLocker policy.|
+| 18-31 |For future use.|
 <!-- Device-Status-DeviceEncryptionStatus-Editable-End -->
 
 <!-- Device-Status-DeviceEncryptionStatus-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index d2884cb925..8128e3e6e5 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 07/25/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the C
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -60,7 +60,7 @@ The following XML file contains the device description framework (DDF) for the C
           <Replace />
         </AccessType>
         <DefaultValue>false</DefaultValue>
-        <Description>Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.</Description>
+        <Description>Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling Boot to Cloud Shared PC feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.</Description>
         <DFFormat>
           <bool />
         </DFFormat>
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 121ac1c046..ad995b441b 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -20,7 +20,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
 
 As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
 
-- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
+- [DDF v2 Files, September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
 
 ## DDF v2 schema
 
@@ -582,6 +582,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
 
 You can download the older DDF files for various CSPs from the links below:
 
+- [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
 - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1809](https://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip)
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
new file mode 100644
index 0000000000..ac422bfdcc
--- /dev/null
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -0,0 +1,1049 @@
+---
+title: DeclaredConfiguration CSP
+description: Learn more about the DeclaredConfiguration CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 09/27/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- DeclaredConfiguration-Begin -->
+# DeclaredConfiguration CSP
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+<!-- DeclaredConfiguration-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The primary MDM model is one where the MDM server is solely responsible for orchestration and continuous maintenance of the state of the device for configuration scenarios. This behavior results in intensive network traffic and high network latency due to the synchronous configuration model based on the OMA-DM Syncml standard. It's also error-prone given that the server needs deep knowledge of the client.
+
+The declared configuration device management model requires the server to deliver all the setting values to the device for the scenario configuration. The server sends them asynchronously in batches through the client declared configuration CSP.
+
+- During the client-initiated OMA-DM session, the declared configuration server sends a configuration or an inventory declared configuration document to the client through the [Declared Configuration CSP URI](#declared-configuration-oma-uri). If the device verifies the syntax of the document is correct, the client stack pushes the request to its orchestrator to process the request asynchronously. The client stack then exits, and returns control back to the declared configuration service. This behavior allows the device to asynchronously process the request.
+
+- On the client, if there are any requests in process or completed, it sends a [generic alert](#declared-configuration-generic-alert) to the server. This alert summarizes each document's status, state, and progress. Every client HTTPS request to the declared configuration OMA-DM server includes this summary.
+
+- The declared configuration server uses the generic alert to determine which requests are completed successfully or with errors. The server can then synchronously retrieve the declared configuration document process results through the [Declared Configuration CSP URI](#declared-configuration-oma-uri).
+<!-- DeclaredConfiguration-Editable-End -->
+
+<!-- DeclaredConfiguration-Tree-Begin -->
+The following list shows the DeclaredConfiguration configuration service provider nodes:
+
+- ./Device/Vendor/MSFT/DeclaredConfiguration
+  - [Host](#host)
+    - [Complete](#hostcomplete)
+      - [Documents](#hostcompletedocuments)
+        - [{DocID}](#hostcompletedocumentsdocid)
+          - [Document](#hostcompletedocumentsdociddocument)
+          - [Properties](#hostcompletedocumentsdocidproperties)
+            - [Abandoned](#hostcompletedocumentsdocidpropertiesabandoned)
+      - [Results](#hostcompleteresults)
+        - [{DocID}](#hostcompleteresultsdocid)
+          - [Document](#hostcompleteresultsdociddocument)
+    - [Inventory](#hostinventory)
+      - [Documents](#hostinventorydocuments)
+        - [{DocID}](#hostinventorydocumentsdocid)
+          - [Document](#hostinventorydocumentsdociddocument)
+      - [Results](#hostinventoryresults)
+        - [{DocID}](#hostinventoryresultsdocid)
+          - [Document](#hostinventoryresultsdociddocument)
+<!-- DeclaredConfiguration-Tree-End -->
+
+<!-- Device-Host-Begin -->
+## Host
+
+<!-- Device-Host-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Applicability-End -->
+
+<!-- Device-Host-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host
+```
+<!-- Device-Host-OmaUri-End -->
+
+<!-- Device-Host-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Host internal node indicates that the target of the configuration request or inventory request is the host OS. This node is for scope in case enclaves are ever targeted for configuration.
+<!-- Device-Host-Description-End -->
+
+<!-- Device-Host-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Editable-End -->
+
+<!-- Device-Host-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-DFProperties-End -->
+
+<!-- Device-Host-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Examples-End -->
+
+<!-- Device-Host-End -->
+
+<!-- Device-Host-Complete-Begin -->
+### Host/Complete
+
+<!-- Device-Host-Complete-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Applicability-End -->
+
+<!-- Device-Host-Complete-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete
+```
+<!-- Device-Host-Complete-OmaUri-End -->
+
+<!-- Device-Host-Complete-Description-Begin -->
+<!-- Description-Source-DDF -->
+This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+<!-- Device-Host-Complete-Description-End -->
+
+<!-- Device-Host-Complete-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The server to client flow of the **Complete** request is the same as an **Inventory** request.
+<!-- Device-Host-Complete-Editable-End -->
+
+<!-- Device-Host-Complete-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Complete-DFProperties-End -->
+
+<!-- Device-Host-Complete-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Examples-End -->
+
+<!-- Device-Host-Complete-End -->
+
+<!-- Device-Host-Complete-Documents-Begin -->
+#### Host/Complete/Documents
+
+<!-- Device-Host-Complete-Documents-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents
+```
+<!-- Device-Host-Complete-Documents-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Documents node indicates that the configuration is in the form of a document, which is a collection of settings used to configure a scenario by the Declared Configuration stack.
+<!-- Device-Host-Complete-Documents-Description-End -->
+
+<!-- Device-Host-Complete-Documents-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Complete-Documents-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Begin -->
+##### Host/Complete/Documents/{DocID}
+
+<!-- Device-Host-Complete-Documents-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}
+```
+<!-- Device-Host-Complete-Documents-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the configuration document. No other document can have this id. The Id should be a GUID.
+<!-- Device-Host-Complete-Documents-{DocID}-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}` |
+<!-- Device-Host-Complete-Documents-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Begin -->
+###### Host/Complete/Documents/{DocID}/Document
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Document
+```
+<!-- Device-Host-Complete-Documents-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Host-Complete-Documents-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Document-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Begin -->
+###### Host/Complete/Documents/{DocID}/Properties
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Properties
+```
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Properties node encapsulates the list of properties that apply to the specified document referenced by [DocID].
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Begin -->
+###### Host/Complete/Documents/{DocID}/Properties/Abandoned
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Applicability-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/{DocID}/Properties/Abandoned
+```
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-OmaUri-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Abandoned node allows the OMA-DM server to indicate that the document is no longer managed.
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Description-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Editable-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-DFProperties-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | The document is no longer managed. |
+| 1 | The document is managed. |
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-AllowedValues-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-Examples-End -->
+
+<!-- Device-Host-Complete-Documents-{DocID}-Properties-Abandoned-End -->
+
+<!-- Device-Host-Complete-Results-Begin -->
+#### Host/Complete/Results
+
+<!-- Device-Host-Complete-Results-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Results-Applicability-End -->
+
+<!-- Device-Host-Complete-Results-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results
+```
+<!-- Device-Host-Complete-Results-OmaUri-End -->
+
+<!-- Device-Host-Complete-Results-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Results node indicates that this is part of the URI path that will return an XML document containing the results of the configuration request.
+<!-- Device-Host-Complete-Results-Description-End -->
+
+<!-- Device-Host-Complete-Results-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-Editable-End -->
+
+<!-- Device-Host-Complete-Results-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Host-Complete-Results-DFProperties-End -->
+
+<!-- Device-Host-Complete-Results-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-Examples-End -->
+
+<!-- Device-Host-Complete-Results-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Begin -->
+##### Host/Complete/Results/{DocID}
+
+<!-- Device-Host-Complete-Results-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Results-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/{DocID}
+```
+<!-- Device-Host-Complete-Results-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the configuration document in which results of the configuration request will be returned.
+<!-- Device-Host-Complete-Results-{DocID}-Description-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Editable-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Host-Complete-Results-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Examples-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Begin -->
+###### Host/Complete/Results/{DocID}/Document
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Complete-Results-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/{DocID}/Document
+```
+<!-- Device-Host-Complete-Results-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of setting results from the configuration request specified by [DocId].
+<!-- Device-Host-Complete-Results-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+<!-- Device-Host-Complete-Results-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Complete-Results-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Complete-Results-{DocID}-Document-End -->
+
+<!-- Device-Host-Inventory-Begin -->
+### Host/Inventory
+
+<!-- Device-Host-Inventory-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Applicability-End -->
+
+<!-- Device-Host-Inventory-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory
+```
+<!-- Device-Host-Inventory-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Inventory internal node indicates that this is an inventory request. The setting values to be retrieved are specified in an XML document through the Document leaf node.
+<!-- Device-Host-Inventory-Description-End -->
+
+<!-- Device-Host-Inventory-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The server to client flow of the **Inventory** request is the same as the **Complete** request.
+<!-- Device-Host-Inventory-Editable-End -->
+
+<!-- Device-Host-Inventory-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Inventory-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Examples-End -->
+
+<!-- Device-Host-Inventory-End -->
+
+<!-- Device-Host-Inventory-Documents-Begin -->
+#### Host/Inventory/Documents
+
+<!-- Device-Host-Inventory-Documents-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Documents-Applicability-End -->
+
+<!-- Device-Host-Inventory-Documents-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents
+```
+<!-- Device-Host-Inventory-Documents-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Documents-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Documents node indicates that the inventory request is in the form of a document, which is a collection of settings used to retrieve their values.
+<!-- Device-Host-Inventory-Documents-Description-End -->
+
+<!-- Device-Host-Inventory-Documents-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-Editable-End -->
+
+<!-- Device-Host-Inventory-Documents-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+<!-- Device-Host-Inventory-Documents-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Documents-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-Examples-End -->
+
+<!-- Device-Host-Inventory-Documents-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Begin -->
+##### Host/Inventory/Documents/{DocID}
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Documents-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/{DocID}
+```
+<!-- Device-Host-Inventory-Documents-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+<!-- Device-Host-Inventory-Documents-{DocID}-Description-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Editable-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+| Allowed Values | Regular Expression: `[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}` |
+<!-- Device-Host-Inventory-Documents-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Examples-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Begin -->
+###### Host/Inventory/Documents/{DocID}/Document
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/{DocID}/Document
+```
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68. B9-4320-9. FC4-296. F6FDFAFE2/Document.
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Inventory-Documents-{DocID}-Document-End -->
+
+<!-- Device-Host-Inventory-Results-Begin -->
+#### Host/Inventory/Results
+
+<!-- Device-Host-Inventory-Results-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Results-Applicability-End -->
+
+<!-- Device-Host-Inventory-Results-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results
+```
+<!-- Device-Host-Inventory-Results-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Results-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Results node indicates that this is part of the URI path that will return an XML document containing the results of the inventory request.
+<!-- Device-Host-Inventory-Results-Description-End -->
+
+<!-- Device-Host-Inventory-Results-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-Editable-End -->
+
+<!-- Device-Host-Inventory-Results-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-Host-Inventory-Results-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Results-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-Examples-End -->
+
+<!-- Device-Host-Inventory-Results-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Begin -->
+##### Host/Inventory/Results/{DocID}
+
+<!-- Device-Host-Inventory-Results-{DocID}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Results-{DocID}-Applicability-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/{DocID}
+```
+<!-- Device-Host-Inventory-Results-{DocID}-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Description-Begin -->
+<!-- Description-Source-DDF -->
+Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.
+<!-- Device-Host-Inventory-Results-{DocID}-Description-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Editable-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Host-Inventory-Results-{DocID}-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Examples-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Begin -->
+###### Host/Inventory/Results/{DocID}/Document
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Applicability-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/{DocID}/Document
+```
+<!-- Device-Host-Inventory-Results-{DocID}-Document-OmaUri-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Description-Begin -->
+<!-- Description-Source-DDF -->
+The Document node's value is an XML based document containing a collection of setting results from the inventory request specified by [DocId].
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Description-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Editable-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+<!-- Device-Host-Inventory-Results-{DocID}-Document-DFProperties-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Host-Inventory-Results-{DocID}-Document-Examples-End -->
+
+<!-- Device-Host-Inventory-Results-{DocID}-Document-End -->
+
+<!-- DeclaredConfiguration-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+## Declared configuration OMA URI
+
+A declared configuration request is sent using an OMA-URI similar to `./Device/Vendor/MSFT/DeclaredConfiguration/Host/[Complete|Inventory]/Documents/{DocID}/Document`.
+
+- The URI is prefixed with a targeted scope. The target of the scenario settings can only be device wide for extensibility. The scope should be `Device`.
+- `{DocID}` is a unique identifier for the desired state of the configuration scenario. Every document must have an ID, which must be a GUID.
+- The request can be a **Configuration**, **Inventory**, or **Complete** request.
+
+The following URI is an example of a **Complete** request: `./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document`
+
+## DeclaredConfiguration document XML
+
+The value of the leaf node `Document` is an XML document that describes the request. The actual processing of the request pivots around the `osdefinedscenario` tag:
+
+- `MSFTExtensibilityMIProviderConfig`: Used to configure MI provider settings.
+- `MSFTExtensibilityMIProviderInventory`:  Used to retrieve MI provider setting values.
+
+The DeclaredConfiguration CSP synchronously validates the batch of settings described by the `<DeclaredConfiguration>` element, which represents the declared configuration document. It checks for correct syntax based on the declared configuration XML schema. If there's a syntax error, the CSP returns an error immediately back to the server as part of the current OMA-DM session. If the syntax check passes, then the request is passed on to a Windows service. The Windows service asynchronously attempts the desired state configuration of the specified scenario. This process frees up the server to do other work thus the low latency of this  declared configuration protocol. The Windows client service, the orchestrator, is responsible for driving the configuration of the device based on the server supplied desire state. The service also maintains this state throughout its lifetime, until the server removes or modifies it.
+
+The following example uses the built-in, native MI provider `MSFT_FileDirectoryConfiguration` with the OS-defined scenario `MSFTExtensibilityMIProviderConfig`:
+
+```xml
+<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
+    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
+        <Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
+        <Value name="Contents">TestFileContentBlah</Value>
+    </DSC>
+</DeclaredConfiguration>
+```
+
+The standard OMA-DM SyncML syntax is used to specify the DeclaredConfiguration CSP operations such as **Replace**, **Set**, and **Delete**. The payload of the SyncML's `<Data>` element must be XML-encoded. For this XML encoding, there are various online encoders that you can use. To avoid encoding the payload, you can use [CDATA Section](https://www.w3.org/TR/REC-xml/#sec-cdata-sect) as shown in the following example:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.1">
+  <SyncBody>
+    <Replace>
+      <CmdID>14</CmdID>
+      <Item>
+        <Target>
+          <LocURI> ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/99988660-9080-3433-96e8-f32e85011999/Document</LocURI>
+        </Target>
+        <Data>
+          <![CDATA[<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" osdefinedscenario="MSFTExtensibilityMIProviderConfig">
+                <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
+                    <Key name="DestinationPath">c:\data\test\bin\ut_extensibility.tmp</Key>
+                    <Value name="Contents">TestFileContentBlah</Value>
+                </DSC>
+            </DeclaredConfiguration>]]>
+        </Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+### DeclaredConfiguration XML document tags
+
+Both `MSFTExtensibilityMIProviderConfig` and `MSFTExtensibilityMIProviderInventory` are OS-defined scenarios that require the same tags and attributes.
+
+- The `<DeclaredConfiguration>` XML tag specifies the details of the declared configuration document to process. The document could be part of a configuration request or an inventory request. The DeclaredConfiguration CSP has two URIs to allow the specification of a configuration or an inventory request.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `schema` | The schema version of the xml. Currently `1.0`. |
+    | `context` | States that this document is targeting the device. The value should be `Device`. |
+    | `id` | The unique identifier of the document set by the server. This value should be a GUID. |
+    | `checksum` | This value is the server-supplied version of the document. |
+    | `osdefinedscenario` | The named scenario that the client should configure with the given configuration data. For  extensibility, the scenario is either `MSFTExtensibilityMIProviderConfig` or `MSFTExtensibilityMIProviderInventory`. |
+
+- The `<DSC>` XML tag describes the targeted WMI provider expressed by a namespace and class name along with the values either to be applied to the device or queried by the MI provider.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `namespace` | Specifies the targeted MI provider namespace. |
+    | `classname` | The targeted MI provider. |
+
+- The `<Key>` XML tag describes the required parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Key>` content.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `name` | Specifies the name of an MI provider parameter. |
+
+- The `<Value>` XML tag describes the optional parameter name and value. It only needs a value for configuration. The name is an attribute and the value is `<Value>` content.
+
+    This tag has the following attributes:
+
+    | Attribute | Description |
+    |--|--|
+    | `name` | Specifies the name of an MI provider parameter. |
+
+## Declared configuration generic alert
+
+On every client response to the server's request, the client constructs a declared configuration alert. This alert summarizes the state of each of the documents that the Windows service has processed. The following XML is an example alert:
+
+```xml
+<Alert>
+  <CmdID>1</CmdID>
+  <Data>1224</Data>
+  <Item>
+    <Meta>
+      <Type xmlns="syncml:metinf">com.microsoft.mdm.declaredconfigurationdocuments</Type>
+    </Meta>
+    <Data>
+      <DeclaredConfigurations schema="1.0">
+        <DeclaredConfiguration context="Device"
+                               id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2"
+                               checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999"
+                               result_checksum="EE4F1636201B0D39F71654427E420E625B9459EED17ACCEEE1AC9B358F4283FD"
+                               state="60" />
+      </DeclaredConfigurations>
+    </Data>
+  </Item>
+</Alert>
+```
+
+In this example, there's one declared configuration document listed in the alert summary. The alert summary lists every document that the client stack is processing, either a configuration or inventory request. It describes the context of the document that specifies the scope of how the document is applied. The **context** value should be `Device`.
+
+The **state** attribute has a value of `60`, which indicates that the document was processed successfully. The following class defines the other state values:
+
+```csharp
+enum class DCCSPURIState :unsigned long
+{
+    NotDefined = 0, // transient
+    ConfigRequest = 1, // transient
+    ConfigInprogress = 2, // transient
+    ConfigInProgressAsyncPending = 3, // transient: Async operation is performed but pending results
+    DeleteRequest = 10,  // transient
+    DeleteInprogress = 11,  // transient
+
+    GetRequest = 20,  // transient
+    GetInprogress = 21,  // transient
+
+    ConstructURIStorageSuccess = 40, // transient
+
+    ConfigCompletedSuccess = 60, // permanent
+    ConfigCompletedError = 61, // permanent
+    ConfigInfraError = 62, // permanent
+    ConfigCompletedSuccessNoRefresh = 63, // permanent
+
+    DeleteCompletedSuccess = 70, // permanent
+    DeleteCompletedError = 71, // permanent
+    DeleteInfraError = 72, // permanent
+
+    GetCompletedSuccess = 80, // permanent
+    GetCompletedError = 81, // permanent
+    GetInfraError = 82 // permanent
+};
+```
+
+## SyncML examples
+
+- Retrieve the results of a configuration or inventory request:
+
+    ```xml
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+      <SyncBody>
+        <Get>
+          <CmdID>2</CmdID>
+          <Item>
+            <Meta>
+              <Format>chr</Format>
+              <Type>text/plain</Type>
+            </Meta>
+            <Target>
+              <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Target>
+          </Item>
+        </Get>
+        <Final />
+      </SyncBody>
+    </SyncML>
+    ```
+
+    ```xml
+    <Status>
+        <CmdID>2</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Cmd>Get</Cmd>
+        <Data>200</Data>
+    </Status>
+    <Results>
+        <CmdID>3</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Item>
+            <Source>
+                <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Results/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Source>
+            <Data>
+                <DeclaredConfigurationResult context="Device" schema="1.0" id="99988660-9080-3433-96e8-f32e85011999" osdefinedscenario="MSFTPolicies" checksum="99925209110918B67FE962460137AA3440AFF4DB6ABBE15C8F499682457B9999" result_checksum="EE4F1636201B0D39F71654427E420E625B9459EED17ACCEEE1AC9B358F4283FD" operation="Set" state="60">
+                    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="60">
+                        <Key name="DestinationPath" />
+                        <Value name="Contents" />
+                    </DSC>
+                </DeclaredConfigurationResult>
+            </Data>
+        </Item>
+    </Results>
+    ```
+
+- Replace a configuration or inventory request
+
+    ```xml
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+      <SyncBody>
+        <Replace>
+          <CmdID>14</CmdID>
+          <Item>
+            <Target>
+              <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Target>
+            <Data>
+              <![CDATA[<DeclaredConfiguration schema="1.0" context="Device" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" checksum="99995209110918B67FE962460137AA3440AFF4DB6ABBE15C8F49968245799999" osdefinedscenario="MSFTExtensibilityMIProviderInventory">
+                    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration">
+                        <Key name="DestinationPath">c:/temp/foobar.tmp</Key>
+                        <Value name="Contents"></Value>
+                    </DSC>
+                </DeclaredConfiguration>]]>
+            </Data>
+          </Item>
+        </Replace>
+        <Final />
+      </SyncBody>
+    </SyncML>
+    ```
+
+    ```xml
+    <Status>
+        <CmdID>2</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Cmd>Get</Cmd>
+        <Data>200</Data>
+    </Status><Results>
+        <CmdID>3</CmdID>
+        <MsgRef>1</MsgRef>
+        <CmdRef>2</CmdRef>
+        <Item>
+            <Source>
+                <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Results/99998660-9080-3433-96e8-f32e85019999/Document</LocURI>
+            </Source>
+            <Data>
+                <DeclaredConfigurationResult context="Device" schema="1.0" id="27FEA311-68B9-4320-9FC4-296F6FDFAFE2" osdefinedscenario="MSFTExtensibilityMIProviderInventory" checksum="99995209110918B67FE962460137AA3440AFF4DB6ABBE15C8F49968245799999" result_checksum="A27B0D234CBC2FAC1292F1E8FBDF6A90690F3988DEDC9D716829856C9ACE0E20" operation="Get" state="80">
+                    <DSC namespace="root/Microsoft/Windows/DesiredStateConfiguration" className="MSFT_FileDirectoryConfiguration" status="200" state="80">
+                        <Key name="DestinationPath">c:/temp/foobar.tmp</Key>
+                        <Value name="Contents">TestFileContent</Value>
+                    </DSC>
+                </DeclaredConfigurationResult>
+            </Data>
+        </Item>
+    </Results>
+    ```
+
+- Abandon a configuration or inventory request. This process results in the client tracking the document but not reapplying it. The alert has the `Abandoned` property set to `1`, which indicates that the document is no longer managed by the declared configuration server.
+
+    ```xml
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Replace>
+        <CmdID>2</CmdID>
+        <Item>
+            <Meta>
+            <Format>int</Format>
+            <Type>text/plain</Type>
+            </Meta>
+            <Target>
+            <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Properties/Abandoned</LocURI>
+            </Target>
+            <Data>1</Data>
+        </Item>
+        </Replace>
+    <Final/>
+    </SyncBody>
+    </SyncML>
+    ```
+
+- Deletion of configuration or inventory request. The SyncML deletion of the document only removes the document but any extensibility settings persist on the device (tattoo).
+
+    ```xml
+    <?xml version="1.0" encoding="utf-8"?>
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Delete>
+            <CmdID>2</CmdID>
+            <Item>
+            <Target>
+                <LocURI>./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</LocURI>
+            </Target>
+            </Item>
+        </Delete>
+        <Final/>
+        </SyncBody>
+    </SyncML>
+    ```
+<!-- DeclaredConfiguration-CspMoreInfo-End -->
+
+<!-- DeclaredConfiguration-End -->
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
new file mode 100644
index 0000000000..8f17e34ba0
--- /dev/null
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -0,0 +1,482 @@
+---
+title: DeclaredConfiguration DDF file
+description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 09/27/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+# DeclaredConfiguration DDF file
+
+The following XML file contains the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>DeclaredConfiguration</NodeName>
+    <Path>./Device/Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <Description>The Declared Configuration CSP (Configuration Service Provider) allows the OMA-DM server to provide the device with the complete collection of setting names and associated values based on a specified scenario. The Declared Configuration stack on the device is responsible for handling the configuration request along with maintaining its state including updates to the scenario. It also provides the means to retrieve a scenario’s settings from the device. The configuration request and settings retrieval request are performed asynchronously, freeing up the server’s worker thread to do other useful work. The subsequent results can be retrieved through Declared Configuration’s result nodes.</Description>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <MIME />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>9.9</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
+    <Node>
+      <NodeName>Host</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+        </AccessType>
+        <Description>The Host internal node indicates that the target of the configuration request or inventory request is the host OS. This node is for scope in case enclaves are ever targeted for configuration.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>Complete</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+          </AccessType>
+          <Description>This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName />
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Documents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+            </AccessType>
+            <Description>The Documents node indicates that the configuration is in the form of a document, which is a collection of settings used to configure a scenario by the Declared Configuration stack.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the configuration document. No other document can have this id. The Id should be a GUID.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ServerGeneratedUniqueIdentifier />
+              </MSFT:DynamicNodeNaming>
+              <MSFT:AllowedValues ValueType="RegEx">
+                <MSFT:Value>[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of settings and values to configure the specified scenario. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Complete/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+                <MSFT:AllowedValues ValueType="None">
+                </MSFT:AllowedValues>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>Properties</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                </AccessType>
+                <Description>The Properties node encapsulates the list of properties that apply to the specified document referenced by [DocID].</Description>
+                <DFFormat>
+                  <node />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <DDFName />
+                </DFType>
+              </DFProperties>
+              <Node>
+                <NodeName>Abandoned</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <DefaultValue>0</DefaultValue>
+                  <Description>The Abandoned node allows the OMA-DM server to indicate that the document is no longer managed.</Description>
+                  <DFFormat>
+                    <int />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME />
+                  </DFType>
+                  <MSFT:AllowedValues ValueType="ENUM">
+                    <MSFT:Enum>
+                      <MSFT:Value>0</MSFT:Value>
+                      <MSFT:ValueDescription>The document is no longer managed.</MSFT:ValueDescription>
+                    </MSFT:Enum>
+                    <MSFT:Enum>
+                      <MSFT:Value>1</MSFT:Value>
+                      <MSFT:ValueDescription>The document is managed.</MSFT:ValueDescription>
+                    </MSFT:Enum>
+                  </MSFT:AllowedValues>
+                </DFProperties>
+              </Node>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Results</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The Results node indicates that this is part of the URI path that will return an XML document containing the results of the configuration request.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the configuration document in which results of the configuration request will be returned.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ClientInventory />
+              </MSFT:DynamicNodeNaming>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of setting results from the configuration request specified by [DocId].</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>Inventory</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+          </AccessType>
+          <Description>The Inventory internal node indicates that this is an inventory request. The setting values to be retrieved are specified in an XML document through the Document leaf node.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName />
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Documents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+            </AccessType>
+            <Description>The Documents node indicates that the inventory request is in the form of a document, which is a collection of settings used to retrieve their values.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ServerGeneratedUniqueIdentifier />
+              </MSFT:DynamicNodeNaming>
+              <MSFT:AllowedValues ValueType="RegEx">
+                <MSFT:Value>[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}</MSFT:Value>
+              </MSFT:AllowedValues>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of settings that will be used to retrieve their values. The Declared Configuration stack verifies the syntax of the document, the stack marks the document to be processed asynchronously by the client. The stack then returns control back to the OMA-DM service. The stack, in turn, asynchronously processes the request. Below is an example of a specified desired state configuration using the Declared Configuration URI ./Device/Vendor/MSFT/DeclaredConfiguration/Host/Inventory/Documents/27FEA311-68B9-4320-9FC4-296F6FDFAFE2/Document</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+                <MSFT:AllowedValues ValueType="None">
+                </MSFT:AllowedValues>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Results</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The Results node indicates that this is part of the URI path that will return an XML document containing the results of the inventory request.</Description>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName />
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>
+            </NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>Uniquely identifies the inventory document. No other document can have this id. The Id should be a GUID.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>DocID</DFTitle>
+              <DFType>
+                <DDFName />
+              </DFType>
+              <MSFT:DynamicNodeNaming>
+                <MSFT:ClientInventory />
+              </MSFT:DynamicNodeNaming>
+            </DFProperties>
+            <Node>
+              <NodeName>Document</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>The Document node's value is an XML based document containing a collection of setting results from the inventory request specified by [DocId].</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+    </Node>
+  </Node>
+</MgmtTree>
+```
+
+## Related articles
+
+[DeclaredConfiguration configuration service provider reference](declaredconfiguration-csp.md)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index f526723268..fb4186237a 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -57,6 +57,7 @@ The following list shows the Defender configuration service provider nodes:
     - [DisableInboundConnectionFiltering](#configurationdisableinboundconnectionfiltering)
     - [DisableLocalAdminMerge](#configurationdisablelocaladminmerge)
     - [DisableNetworkProtectionPerfTelemetry](#configurationdisablenetworkprotectionperftelemetry)
+    - [DisableQuicParsing](#configurationdisablequicparsing)
     - [DisableRdpParsing](#configurationdisablerdpparsing)
     - [DisableSmtpParsing](#configurationdisablesmtpparsing)
     - [DisableSshParsing](#configurationdisablesshparsing)
@@ -492,7 +493,7 @@ Define the retention period in days of how much time the evidence data will be k
 
 <!-- Device-Configuration-DataDuplicationMaximumQuota-Description-Begin -->
 <!-- Description-Source-DDF -->
-Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
+Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum. The valid interval is [5-5000] MB. By default, the maximum quota will be 500 MB.
 <!-- Device-Configuration-DataDuplicationMaximumQuota-Description-End -->
 
 <!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-Begin -->
@@ -504,8 +505,10 @@ Defines the maximum data duplication quota in MB that can be collected. When the
 
 | Property name | Property value |
 |:--|:--|
-| Format | `chr` (string) |
+| Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[5-5000]` |
+| Default Value  | 500 |
 <!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-End -->
 
 <!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-Begin -->
@@ -570,7 +573,7 @@ Define data duplication remote location for device control.
 
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
 <!-- Description-Source-DDF -->
-Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
+Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
 
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
@@ -584,7 +587,7 @@ Configure how many days can pass before an aggressive quick scan is triggered. T
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0,7-60]` |
+| Allowed Values | Range: `[7-60]` |
 | Default Value  | 25 |
 <!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
 
@@ -989,10 +992,20 @@ Defines whether the cache maintenance idle task will perform the cache maintenan
 
 | Property name | Property value |
 |:--|:--|
-| Format | `chr` (string) |
+| Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
 <!-- Device-Configuration-DisableCacheMaintenance-DFProperties-End -->
 
+<!-- Device-Configuration-DisableCacheMaintenance-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Cache maintenance is disabled. |
+| 0 (Default) | Cache maintenance is enabled (default). |
+<!-- Device-Configuration-DisableCacheMaintenance-AllowedValues-End -->
+
 <!-- Device-Configuration-DisableCacheMaintenance-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-Configuration-DisableCacheMaintenance-Examples-End -->
@@ -1489,6 +1502,55 @@ This setting disables the gathering and send of performance telemetry from Netwo
 
 <!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-End -->
 
+<!-- Device-Configuration-DisableQuicParsing-Begin -->
+### Configuration/DisableQuicParsing
+
+<!-- Device-Configuration-DisableQuicParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableQuicParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableQuicParsing
+```
+<!-- Device-Configuration-DisableQuicParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-Description-Begin -->
+<!-- Description-Source-DDF -->
+This setting disables QUIC Parsing for Network Protection.
+<!-- Device-Configuration-DisableQuicParsing-Description-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableQuicParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableQuicParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | QUIC parsing is disabled. |
+| 0 (Default) | QUIC parsing is enabled. |
+<!-- Device-Configuration-DisableQuicParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableQuicParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableQuicParsing-End -->
+
 <!-- Device-Configuration-DisableRdpParsing-Begin -->
 ### Configuration/DisableRdpParsing
 
@@ -1916,6 +1978,7 @@ Allows an administrator to explicitly disable network packet inspection made by
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
 <!-- Device-Configuration-ExcludedIpAddresses-DFProperties-End -->
 
 <!-- Device-Configuration-ExcludedIpAddresses-Examples-Begin -->
@@ -2203,7 +2266,7 @@ Setting to control automatic remediation for Sense scans.
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
+| Default Value  | 0x0 |
 <!-- Device-Configuration-PassiveRemediation-DFProperties-End -->
 
 <!-- Device-Configuration-PassiveRemediation-AllowedValues-Begin -->
@@ -2211,6 +2274,7 @@ Setting to control automatic remediation for Sense scans.
 
 | Flag | Description |
 |:--|:--|
+| 0x0 (Default) | Passive Remediation is turned off (default). |
 | 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation. |
 | 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit. |
 | 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation. |
@@ -2494,6 +2558,7 @@ Defines what are the devices primary ids that should be secured by Defender Devi
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
 <!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End -->
 
 <!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin -->
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 00b7d76777..22e2b101f9 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1060,6 +1060,7 @@ The following XML file contains the device description framework (DDF) for the D
             <MSFT:CspVersion>1.3</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="None">
+            <MSFT:List Delimiter="|" />
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
@@ -2194,7 +2195,7 @@ The following XML file contains the device description framework (DDF) for the D
             <Replace />
           </AccessType>
           <DefaultValue>25</DefaultValue>
-          <Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.</Description>
+          <Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If not configured, aggressive quick scans will be disabled. By default, the value is set to 25 days when enabled.</Description>
           <DFFormat>
             <int />
           </DFFormat>
@@ -2212,7 +2213,7 @@ The following XML file contains the device description framework (DDF) for the D
             <MSFT:CspVersion>1.3</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="Range">
-            <MSFT:Value>[0,7-60]</MSFT:Value>
+            <MSFT:Value>[7-60]</MSFT:Value>
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
@@ -2333,6 +2334,7 @@ The following XML file contains the device description framework (DDF) for the D
             <MSFT:CspVersion>1.3</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="None">
+            <MSFT:List Delimiter="|" />
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
@@ -2345,9 +2347,10 @@ The following XML file contains the device description framework (DDF) for the D
             <Get />
             <Replace />
           </AccessType>
-          <Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.</Description>
+          <DefaultValue>500</DefaultValue>
+          <Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum. The valid interval is [5-5000] MB. By default, the maximum quota will be 500 MB.</Description>
           <DFFormat>
-            <chr />
+            <int />
           </DFFormat>
           <Occurrence>
             <One />
@@ -2362,7 +2365,8 @@ The following XML file contains the device description framework (DDF) for the D
             <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.3</MSFT:CspVersion>
           </MSFT:Applicability>
-          <MSFT:AllowedValues ValueType="None">
+          <MSFT:AllowedValues ValueType="Range">
+            <MSFT:Value>[5-5000]</MSFT:Value>
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
@@ -2487,7 +2491,7 @@ The following XML file contains the device description framework (DDF) for the D
             <Get />
             <Replace />
           </AccessType>
-          <DefaultValue>0</DefaultValue>
+          <DefaultValue>0x0</DefaultValue>
           <Description>Setting to control automatic remediation for Sense scans.</Description>
           <DFFormat>
             <int />
@@ -2506,6 +2510,10 @@ The following XML file contains the device description framework (DDF) for the D
             <MSFT:CspVersion>1.3</MSFT:CspVersion>
           </MSFT:Applicability>
           <MSFT:AllowedValues ValueType="Flag">
+            <MSFT:Enum>
+              <MSFT:Value>0x0</MSFT:Value>
+              <MSFT:ValueDescription>Passive Remediation is turned off (default)</MSFT:ValueDescription>
+            </MSFT:Enum>
             <MSFT:Enum>
               <MSFT:Value>0x1</MSFT:Value>
               <MSFT:ValueDescription>PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation</MSFT:ValueDescription>
@@ -2603,6 +2611,45 @@ The following XML file contains the device description framework (DDF) for the D
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
+      <Node>
+        <NodeName>DisableQuicParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables QUIC Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>QUIC parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>QUIC parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
       <Node>
         <NodeName>AllowSwitchToAsyncInspection</NodeName>
         <DFProperties>
@@ -2729,9 +2776,10 @@ The following XML file contains the device description framework (DDF) for the D
             <Get />
             <Replace />
           </AccessType>
+          <DefaultValue>0</DefaultValue>
           <Description>Defines whether the cache maintenance idle task will perform the cache maintenance or not.</Description>
           <DFFormat>
-            <chr />
+            <int />
           </DFFormat>
           <Occurrence>
             <One />
@@ -2746,7 +2794,15 @@ The following XML file contains the device description framework (DDF) for the D
             <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.3</MSFT:CspVersion>
           </MSFT:Applicability>
-          <MSFT:AllowedValues ValueType="None">
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Cache maintenance is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Cache maintenance is enabled (default)</MSFT:ValueDescription>
+            </MSFT:Enum>
           </MSFT:AllowedValues>
         </DFProperties>
       </Node>
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index 1f3ec6eaa1..d8b4a5ca6e 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -430,7 +430,7 @@ This node provides status of the Device Preparation page. Values are an enum: 0
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
-| Access Type | Get |
+| Access Type | Get, Replace |
 <!-- Device-PageStatus-DFProperties-End -->
 
 <!-- Device-PageStatus-AllowedValues-Begin -->
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 3174ac4dab..4f948ac7b5 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -88,6 +88,7 @@ The following XML file contains the device description framework (DDF) for the D
       <DFProperties>
         <AccessType>
           <Get />
+          <Replace />
         </AccessType>
         <Description>This node provides status of the Device Preparation page.  Values are an enum: 0 = Disabled; 1 = Enabled;  2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
         <DFFormat>
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 7c11cf5f09..9a5f3cadbf 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/27/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -80,10 +80,10 @@ The following list shows the DMClient configuration service provider nodes:
       - [HelpWebsite](#deviceproviderprovideridhelpwebsite)
       - [HWDevID](#deviceproviderprovideridhwdevid)
       - [LinkedEnrollment](#deviceproviderprovideridlinkedenrollment)
+        - [DiscoveryEndpoint](#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
         - [Enroll](#deviceproviderprovideridlinkedenrollmentenroll)
         - [EnrollStatus](#deviceproviderprovideridlinkedenrollmentenrollstatus)
         - [LastError](#deviceproviderprovideridlinkedenrollmentlasterror)
-        - [Priority](#deviceproviderprovideridlinkedenrollmentpriority)
         - [Unenroll](#deviceproviderprovideridlinkedenrollmentunenroll)
       - [ManagementServerAddressList](#deviceproviderprovideridmanagementserveraddresslist)
       - [ManagementServerToUpgradeTo](#deviceproviderprovideridmanagementservertoupgradeto)
@@ -272,7 +272,7 @@ This node contains the URI-encoded value of the bootstrapped device management a
 
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Description-Begin -->
 <!-- Description-Source-DDF -->
-Device ID used for AAD device registration.
+Device ID used for Microsoft Entra device registration.
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADDeviceID-Editable-Begin -->
@@ -311,12 +311,12 @@ Device ID used for AAD device registration.
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-Description-Begin -->
 <!-- Description-Source-DDF -->
-This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+This is the ResourceID used when requesting the user token from the OMA DM session for Microsoft Entra enrollments (Microsoft Entra join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
 <!-- Device-Provider-{ProviderID}-AADResourceID-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md).
+For more information about Microsoft Entra enrollment, see [Microsoft Entra integration with MDM](../azure-active-directory-integration-with-mdm.md).
 <!-- Device-Provider-{ProviderID}-AADResourceID-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-AADResourceID-DFProperties-Begin -->
@@ -351,7 +351,7 @@ For more information about Azure AD enrollment, see [Azure Active Directory inte
 
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
+For Microsoft Entra backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Editable-Begin -->
@@ -2016,8 +2016,8 @@ Device only. This node decides whether or not the MDM device progress page skips
 
 | Value | Description |
 |:--|:--|
-| false | Don't skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
-| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| false | Don't skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
+| true (Default) | Skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Examples-Begin -->
@@ -2065,8 +2065,8 @@ Device only. This node decides whether or not the MDM user progress page skips a
 
 | Value | Description |
 |:--|:--|
-| false | Don't skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
-| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
+| false | Don't skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
+| true (Default) | Skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Examples-Begin -->
@@ -2182,7 +2182,7 @@ Integer node determining if a Device was Successfully provisioned. 0 is failure,
 
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Description-Begin -->
 <!-- Description-Source-DDF -->
-Force device to send device AAD token during check-in as a separate header.
+Force device to send device Microsoft Entra token during check-in as a separate header.
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-ForceAadToken-Editable-Begin -->
@@ -2204,9 +2204,9 @@ Force device to send device AAD token during check-in as a separate header.
 | Value | Description |
 |:--|:--|
 | 0 | ForceAadTokenNotDefined: the value isn't defined(default). |
-| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). |
-| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer token). |
-| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. |
+| 1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
+| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
+| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra Device token for auth as Bearer token. |
 | 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
 <!-- Device-Provider-{ProviderID}-ForceAadToken-AllowedValues-End -->
 
@@ -2411,6 +2411,45 @@ The interior node for linked enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-End -->
 
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Begin -->
+##### Device/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Applicability-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/DiscoveryEndpoint
+```
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-OmaUri-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Description-Begin -->
+<!-- Description-Source-DDF -->
+Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an rmpty string with S_OK.
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Description-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Editable-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-DFProperties-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-Examples-End -->
+
+<!-- Device-Provider-{ProviderID}-LinkedEnrollment-DiscoveryEndpoint-End -->
+
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Begin -->
 ##### Device/Provider/{ProviderID}/LinkedEnrollment/Enroll
 
@@ -2428,12 +2467,12 @@ The interior node for linked enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Description-Begin -->
 <!-- Description-Source-DDF -->
-Trigger to enroll for the Linked Enrollment.
+This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed.
+This is an execution node and will trigger a silent Declared Configuration enrollment, using the Microsoft Entra device token pulled from the Microsoft Entra joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-DFProperties-Begin -->
@@ -2468,7 +2507,7 @@ This is an execution node and will trigger a silent MMP-C enrollment, using the
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-EnrollStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-Returns the current enrollment or un-enrollment status of the linked enrollment.
+Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-EnrollStatus-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-EnrollStatus-Editable-Begin -->
@@ -2523,7 +2562,7 @@ Returns the current enrollment or un-enrollment status of the linked enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-Description-Begin -->
 <!-- Description-Source-DDF -->
-return the last error for enroll/unenroll.
+Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-Editable-Begin -->
@@ -2545,54 +2584,6 @@ return the last error for enroll/unenroll.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-LastError-End -->
 
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Begin -->
-##### Device/Provider/{ProviderID}/LinkedEnrollment/Priority
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2009 [10.0.19042.2193] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.2193] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.2193] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.918] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Applicability-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Priority
-```
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-OmaUri-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Description-Begin -->
-<!-- Description-Source-DDF -->
-Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for MDM settings and resources, 1 means the linked enrollment has authority.
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Description-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Editable-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-DFProperties-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | The main enrollment has priority over linked enrollment. |
-| 1 | The linked enrollment has priority over the main enrollment. |
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-AllowedValues-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-Examples-End -->
-
-<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Priority-End -->
-
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-Begin -->
 ##### Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll
 
@@ -2615,7 +2606,7 @@ Trigger Unenroll for the Linked Enrollment.
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back.
+This is an execution node and will trigger a silent Declared Configuration unenroll, without any user interaction. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back.
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-Editable-End -->
 
 <!-- Device-Provider-{ProviderID}-LinkedEnrollment-Unenroll-DFProperties-Begin -->
@@ -3744,7 +3735,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Initiate MDM Recovery. |
-| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. |
+| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, Microsoft Entra ID keys are protected by TPM, and the TPM is ready for attestation. |
 <!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-AllowedValues-End -->
 
 <!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-Examples-Begin -->
@@ -3770,7 +3761,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
 
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because AAD keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
+This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because Microsoft Entra ID keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Editable-Begin -->
@@ -3973,7 +3964,7 @@ The following SyncML shows how to remotely unenroll the device. This command sho
              <LocURI>./Vendor/MSFT/DMClient/Provider/<ProviderID>/Unenroll</LocURI>
           </Target>
           <Meta>
-             <Format xmlns=”syncml:metinf”>chr</Format>
+             <Format xmlns="syncml:metinf">chr</Format>
           </Meta>
           <Data>TestMDMServer</Data>
           <!-- Data Field in Threshold is now IGNORED -->
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 8940dcd7f9..f47fafa391 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 09/27/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2548,47 +2548,13 @@ The following XML file contains the device description framework (DDF) for the D
               <MSFT:CspVersion>1.6</MSFT:CspVersion>
             </MSFT:Applicability>
           </DFProperties>
-          <Node>
-            <NodeName>Priority</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Add />
-                <Delete />
-                <Get />
-                <Replace />
-              </AccessType>
-              <Description>Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority.</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <ZeroOrOne />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME />
-              </DFType>
-              <MSFT:AllowedValues ValueType="ENUM">
-                <MSFT:Enum>
-                  <MSFT:Value>0</MSFT:Value>
-                  <MSFT:ValueDescription>The main enrollment has priority over linked enrollment.</MSFT:ValueDescription>
-                </MSFT:Enum>
-                <MSFT:Enum>
-                  <MSFT:Value>1</MSFT:Value>
-                  <MSFT:ValueDescription>The linked enrollment has priority over the main enrollment.</MSFT:ValueDescription>
-                </MSFT:Enum>
-              </MSFT:AllowedValues>
-            </DFProperties>
-          </Node>
           <Node>
             <NodeName>LastError</NodeName>
             <DFProperties>
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>return the last error for enroll/unenroll.</Description>
+              <Description>Supports Get Only. Returns the HRESULT for the last error when enroll/unenroll fails.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -2609,7 +2575,7 @@ The following XML file contains the device description framework (DDF) for the D
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>Returns the current enrollment or un-enrollment status of the linked enrollment.</Description>
+              <Description>Returns the current enrollment or un-enrollment status of the linked enrollment. Supports Get only.</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -2668,7 +2634,7 @@ The following XML file contains the device description framework (DDF) for the D
               <AccessType>
                 <Exec />
               </AccessType>
-              <Description>Trigger to enroll for the Linked Enrollment</Description>
+              <Description>This is an execution node and will trigger a silent Declared Configuration unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by Declared Configuration will be rolled back (rollback details will be covered later).</Description>
               <DFFormat>
                 <null />
               </DFFormat>
@@ -2704,6 +2670,36 @@ The following XML file contains the device description framework (DDF) for the D
               </DFType>
             </DFProperties>
           </Node>
+          <Node>
+            <NodeName>DiscoveryEndpoint</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <Description>Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK. </Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:Applicability>
+                <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+                <MSFT:CspVersion>9.9</MSFT:CspVersion>
+              </MSFT:Applicability>
+              <MSFT:AllowedValues ValueType="None">
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
         </Node>
         <Node>
           <NodeName>MultipleSession</NodeName>
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 4ff3f47d51..3933d2fb17 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the eUICCs CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -108,7 +108,7 @@ Represents information associated with an eUICC. There is one subtree for each k
 
 <!-- Device-{eUICC}-Actions-Description-Begin -->
 <!-- Description-Source-DDF -->
-Actions that can be performed on the eUICC as a whole (when it's active).
+Actions that can be performed on the eUICC as a whole.
 <!-- Device-{eUICC}-Actions-Description-End -->
 
 <!-- Device-{eUICC}-Actions-Editable-Begin -->
@@ -147,7 +147,7 @@ Actions that can be performed on the eUICC as a whole (when it's active).
 
 <!-- Device-{eUICC}-Actions-ResetToFactoryState-Description-Begin -->
 <!-- Description-Source-DDF -->
-An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
+This triggers an eUICC Memory Reset, which erases all the eSIM profiles in the eUICC.
 <!-- Device-{eUICC}-Actions-ResetToFactoryState-Description-End -->
 
 <!-- Device-{eUICC}-Actions-ResetToFactoryState-Editable-Begin -->
@@ -226,7 +226,7 @@ Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE
 
 <!-- Device-{eUICC}-DownloadServers-Description-Begin -->
 <!-- Description-Source-DDF -->
-Represents default SM-DP+ discovery requests.
+Represents servers used for bulk provisioning and eSIM discovery.
 <!-- Device-{eUICC}-DownloadServers-Description-End -->
 
 <!-- Device-{eUICC}-DownloadServers-Editable-Begin -->
@@ -265,7 +265,7 @@ Represents default SM-DP+ discovery requests.
 
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-Description-Begin -->
 <!-- Description-Source-DDF -->
-Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+Node representing a bulk download/discovery server. The node name is the fully qualified domain name of the server that will be used. Creation of this subtree triggers a discovery request.
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-Description-End -->
 
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-Editable-Begin -->
@@ -353,7 +353,7 @@ Indicates whether the discovered profile must be enabled automatically after ins
 
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-DiscoveryState-Description-Begin -->
 <!-- Description-Source-DDF -->
-Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+Current state of the discovery operation for this server (Requested = 1, Executing = 2, Completed = 3, Failed = 4).
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-DiscoveryState-Description-End -->
 
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-DiscoveryState-Editable-Begin -->
@@ -393,7 +393,7 @@ Current state of the discovery operation for the parent ServerName (Requested =
 
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-IsDiscoveryServer-Description-Begin -->
 <!-- Description-Source-DDF -->
-Indicates whether the server is a discovery server. Optional, default value is false.
+Indicates whether the server is a discovery server or if it's used for bulk download. A discovery server is used every time a user requests a profile discovery operation. Optional, default value is false.
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-IsDiscoveryServer-Description-End -->
 
 <!-- Device-{eUICC}-DownloadServers-{ServerName}-IsDiscoveryServer-Editable-Begin -->
@@ -442,7 +442,7 @@ Indicates whether the server is a discovery server. Optional, default value is f
 
 <!-- Device-{eUICC}-Identifier-Description-Begin -->
 <!-- Description-Source-DDF -->
-The EID.
+The unique eUICC identifier (EID).
 <!-- Device-{eUICC}-Identifier-Description-End -->
 
 <!-- Device-{eUICC}-Identifier-Editable-Begin -->
@@ -560,7 +560,7 @@ Device policies associated with the eUICC as a whole (not per-profile).
 
 <!-- Device-{eUICC}-Policies-LocalUIEnabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
+Determines whether or not the user can make changes to the eSIM through the user interface.
 <!-- Device-{eUICC}-Policies-LocalUIEnabled-Description-End -->
 
 <!-- Device-{eUICC}-Policies-LocalUIEnabled-Editable-Begin -->
@@ -609,7 +609,7 @@ Determines whether the local user interface of the LUI is available (true if ava
 
 <!-- Device-{eUICC}-PPR1Allowed-Description-Begin -->
 <!-- Description-Source-DDF -->
-Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 isn't allowed.
+Indicates whether the download of a profile with Profile Policy Rule 1 (PPR1) is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 isn't allowed.
 <!-- Device-{eUICC}-PPR1Allowed-Description-End -->
 
 <!-- Device-{eUICC}-PPR1Allowed-Editable-Begin -->
@@ -648,7 +648,7 @@ Indicates whether the download of a profile with PPR1 is allowed. If the eUICC h
 
 <!-- Device-{eUICC}-PPR1AlreadySet-Description-Begin -->
 <!-- Description-Source-DDF -->
-Indicates whether the eUICC has already a profile with PPR1.
+Indicates whether the eUICC has already a profile with Profile Policy Rule 1 (PPR1).
 <!-- Device-{eUICC}-PPR1AlreadySet-Description-End -->
 
 <!-- Device-{eUICC}-PPR1AlreadySet-Editable-Begin -->
@@ -687,7 +687,7 @@ Indicates whether the eUICC has already a profile with PPR1.
 
 <!-- Device-{eUICC}-Profiles-Description-Begin -->
 <!-- Description-Source-DDF -->
-Represents all enterprise-owned profiles.
+Represents all enterprise-owned eSIM profiles.
 <!-- Device-{eUICC}-Profiles-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-Editable-Begin -->
@@ -726,7 +726,7 @@ Represents all enterprise-owned profiles.
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-Description-Begin -->
 <!-- Description-Source-DDF -->
-Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
+Node representing an enterprise-owned eSIM profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
 <!-- Device-{eUICC}-Profiles-{ICCID}-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-Editable-Begin -->
@@ -806,7 +806,7 @@ Detailed error if the profile download and install procedure failed (None = 0, C
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-IsEnabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.
+Indicates whether this eSIM profile is enabled. Can be set by both the MDM and the CSP.
 <!-- Device-{eUICC}-Profiles-{ICCID}-IsEnabled-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-IsEnabled-Editable-Begin -->
@@ -854,7 +854,7 @@ Indicates whether this profile is enabled. Can be set by the MDM when the ICCID
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-MatchingID-Description-Begin -->
 <!-- Description-Source-DDF -->
-Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
+Matching ID (activation code token) for eSIM profile download. Must be set by the MDM when the ICCID subtree is created.
 <!-- Device-{eUICC}-Profiles-{ICCID}-MatchingID-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-MatchingID-Editable-Begin -->
@@ -894,7 +894,7 @@ Matching ID (activation code token) for profile download. Must be set by the MDM
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-PPR1Set-Description-Begin -->
 <!-- Description-Source-DDF -->
-This profile policy rule indicates whether disabling of this profile isn't allowed (true if not allowed, false otherwise).
+Profile Policy Rule 1 (PPR1) indicates whether disabling of this profile isn't allowed (true if not allowed, false otherwise).
 <!-- Device-{eUICC}-Profiles-{ICCID}-PPR1Set-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-PPR1Set-Editable-Begin -->
@@ -933,7 +933,7 @@ This profile policy rule indicates whether disabling of this profile isn't allow
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-PPR2Set-Description-Begin -->
 <!-- Description-Source-DDF -->
-This profile policy rule indicates whether deletion of this profile isn't allowed (true if not allowed, false otherwise).
+Profile Policy Rule 2 (PPR2) indicates whether deletion of this profile isn't allowed (true if not allowed, false otherwise).
 <!-- Device-{eUICC}-Profiles-{ICCID}-PPR2Set-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-PPR2Set-Editable-Begin -->
@@ -972,7 +972,7 @@ This profile policy rule indicates whether deletion of this profile isn't allowe
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-ServerName-Description-Begin -->
 <!-- Description-Source-DDF -->
-Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
+Fully qualified domain name of the server that can download this eSIM profile. Must be set by the MDM when the ICCID subtree is created.
 <!-- Device-{eUICC}-Profiles-{ICCID}-ServerName-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-ServerName-Editable-Begin -->
@@ -1011,7 +1011,7 @@ Fully qualified domain name of the SM-DP+ that can download this profile. Must b
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-State-Description-Begin -->
 <!-- Description-Source-DDF -->
-Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
+Current state of the eSIM profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4).
 <!-- Device-{eUICC}-Profiles-{ICCID}-State-Description-End -->
 
 <!-- Device-{eUICC}-Profiles-{ICCID}-State-Editable-Begin -->
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index d1293442b4..5a070577f7 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -84,7 +84,7 @@ The following XML file contains the device description framework (DDF) for the e
           <AccessType>
             <Get />
           </AccessType>
-          <Description>The EID.</Description>
+          <Description>The unique eUICC identifier (EID).</Description>
           <DFFormat>
             <chr />
           </DFFormat>
@@ -129,7 +129,7 @@ The following XML file contains the device description framework (DDF) for the e
           <AccessType>
             <Get />
           </AccessType>
-          <Description>Indicates whether the download of a profile with PPR1 is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed.</Description>
+          <Description>Indicates whether the download of a profile with Profile Policy Rule 1 (PPR1) is allowed. If the eUICC has already a profile (regardless of its origin and policy rules associated with it), then the download of a profile with PPR1 is not allowed.</Description>
           <DFFormat>
             <bool />
           </DFFormat>
@@ -150,7 +150,7 @@ The following XML file contains the device description framework (DDF) for the e
           <AccessType>
             <Get />
           </AccessType>
-          <Description>Indicates whether the eUICC has already a profile with PPR1.</Description>
+          <Description>Indicates whether the eUICC has already a profile with Profile Policy Rule 1 (PPR1).</Description>
           <DFFormat>
             <bool />
           </DFFormat>
@@ -171,7 +171,7 @@ The following XML file contains the device description framework (DDF) for the e
           <AccessType>
             <Get />
           </AccessType>
-          <Description>Represents default SM-DP+ discovery requests.</Description>
+          <Description>Represents servers used for bulk provisioning and eSIM discovery.</Description>
           <DFFormat>
             <node />
           </DFFormat>
@@ -199,7 +199,7 @@ The following XML file contains the device description framework (DDF) for the e
               <Get />
               <Replace />
             </AccessType>
-            <Description>Node representing the discovery operation for a server name. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.</Description>
+            <Description>Node representing a bulk download/discovery server. The node name is the fully qualified domain name of the server that will be used. Creation of this subtree triggers a discovery request.</Description>
             <DFFormat>
               <node />
             </DFFormat>
@@ -224,7 +224,7 @@ The following XML file contains the device description framework (DDF) for the e
                 <Get />
               </AccessType>
               <DefaultValue>1</DefaultValue>
-              <Description>Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.</Description>
+              <Description>Current state of the discovery operation for this server (Requested = 1, Executing = 2, Completed = 3, Failed = 4).</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -281,7 +281,7 @@ The following XML file contains the device description framework (DDF) for the e
                 <Replace />
               </AccessType>
               <DefaultValue>false</DefaultValue>
-              <Description>Indicates whether the server is a discovery server. Optional, default value is false.</Description>
+              <Description>Indicates whether the server is a discovery server or if it is used for bulk download. A discovery server is used every time a user requests a profile discovery operation. Optional, default value is false.</Description>
               <DFFormat>
                 <bool />
               </DFFormat>
@@ -318,7 +318,7 @@ The following XML file contains the device description framework (DDF) for the e
           <AccessType>
             <Get />
           </AccessType>
-          <Description>Represents all enterprise-owned profiles.</Description>
+          <Description>Represents all enterprise-owned eSIM profiles.</Description>
           <DFFormat>
             <node />
           </DFFormat>
@@ -342,7 +342,7 @@ The following XML file contains the device description framework (DDF) for the e
               <Get />
               <Replace />
             </AccessType>
-            <Description>Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).</Description>
+            <Description>Node representing an enterprise-owned eSIM profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).</Description>
             <DFFormat>
               <node />
             </DFFormat>
@@ -368,7 +368,7 @@ The following XML file contains the device description framework (DDF) for the e
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.</Description>
+              <Description>Fully qualified domain name of the server that can download this eSIM profile. Must be set by the MDM when the ICCID subtree is created.</Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -396,7 +396,7 @@ The following XML file contains the device description framework (DDF) for the e
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.</Description>
+              <Description>Matching ID (activation code token) for eSIM profile download. Must be set by the MDM when the ICCID subtree is created.</Description>
               <DFFormat>
                 <chr />
               </DFFormat>
@@ -424,7 +424,7 @@ The following XML file contains the device description framework (DDF) for the e
                 <Get />
               </AccessType>
               <DefaultValue>1</DefaultValue>
-              <Description>Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.</Description>
+              <Description>Current state of the eSIM profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4).</Description>
               <DFFormat>
                 <int />
               </DFFormat>
@@ -447,7 +447,7 @@ The following XML file contains the device description framework (DDF) for the e
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP.</Description>
+              <Description>Indicates whether this eSIM profile is enabled. Can be set by both the MDM and the CSP.</Description>
               <DFFormat>
                 <bool />
               </DFFormat>
@@ -482,7 +482,7 @@ The following XML file contains the device description framework (DDF) for the e
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).</Description>
+              <Description>Profile Policy Rule 1 (PPR1) indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).</Description>
               <DFFormat>
                 <bool />
               </DFFormat>
@@ -503,7 +503,7 @@ The following XML file contains the device description framework (DDF) for the e
               <AccessType>
                 <Get />
               </AccessType>
-              <Description>This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).</Description>
+              <Description>Profile Policy Rule 2 (PPR2) indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).</Description>
               <DFFormat>
                 <bool />
               </DFFormat>
@@ -570,7 +570,7 @@ The following XML file contains the device description framework (DDF) for the e
               <Replace />
             </AccessType>
             <DefaultValue>true</DefaultValue>
-            <Description>Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.</Description>
+            <Description>Determines whether or not the user can make changes to the eSIM through the user interface.</Description>
             <DFFormat>
               <bool />
             </DFFormat>
@@ -602,7 +602,7 @@ The following XML file contains the device description framework (DDF) for the e
           <AccessType>
             <Get />
           </AccessType>
-          <Description>Actions that can be performed on the eUICC as a whole (when it is active).</Description>
+          <Description>Actions that can be performed on the eUICC as a whole.</Description>
           <DFFormat>
             <node />
           </DFFormat>
@@ -622,7 +622,7 @@ The following XML file contains the device description framework (DDF) for the e
             <AccessType>
               <Exec />
             </AccessType>
-            <Description>An EXECUTE on this node triggers the  LPA to perform an eUICC Memory Reset.</Description>
+            <Description>This triggers an eUICC Memory Reset, which erases all the eSIM profiles in the eUICC.</Description>
             <DFFormat>
               <chr />
             </DFFormat>
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 3f61327719..6bfcf539e2 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3472,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin -->
@@ -3547,7 +3547,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-65535]` |
+| Allowed Values | Range: `[0-255]` |
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-DFProperties-End -->
 
 <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Examples-Begin -->
@@ -3812,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin -->
@@ -3961,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin -->
@@ -3999,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4049,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4099,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4149,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin -->
@@ -4296,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin -->
@@ -4334,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4384,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4434,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4484,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin -->
@@ -4533,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin -->
@@ -4571,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@@ -4621,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin -->
@@ -4671,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin -->
@@ -4721,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25398] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2352] and later <br> ✅ Windows Insider Preview [10.0.25398] |
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End -->
 
 <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 8a398f09ae..1d38c29221 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3030,7 +3030,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="ENUM">
@@ -3064,7 +3064,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -3257,7 +3257,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -3450,7 +3450,7 @@ The following XML file contains the device description framework (DDF) for the F
                 <DDFName />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
             </DFProperties>
@@ -4597,7 +4597,7 @@ If not specified the detault is OUT.</Description>
                 <MIME />
               </DFType>
               <MSFT:AllowedValues ValueType="Range">
-                <MSFT:Value>[0-65535]</MSFT:Value>
+                <MSFT:Value>[0-255]</MSFT:Value>
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
@@ -4833,7 +4833,7 @@ If not specified - a new rule is disabled by default.</Description>
                 <MIME />
               </DFType>
               <MSFT:Applicability>
-                <MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
+                <MSFT:OsBuildVersion>10.0.25398, 10.0.22621.2352</MSFT:OsBuildVersion>
                 <MSFT:CspVersion>1.0</MSFT:CspVersion>
               </MSFT:Applicability>
               <MSFT:AllowedValues ValueType="Flag">
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 1c9ad0123e..befe9471cc 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -726,7 +726,7 @@ If the attestation process is launched successfully, this node will return code
   - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
   - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
   - nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
-  - aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service.
+  - aadToken: The Microsoft Entra token to be used for authentication against the Microsoft Azure Attestation service.
   - cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
 
 - Sample `<Data>`:
diff --git a/windows/client-management/mdm/includes/mdm-insider-csp-note.md b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
index 5c8c70b1fe..bc1fc814b6 100644
--- a/windows/client-management/mdm/includes/mdm-insider-csp-note.md
+++ b/windows/client-management/mdm/includes/mdm-insider-csp-note.md
@@ -7,4 +7,4 @@ ms.date: 05/09/2023
 ---
 
 > [!IMPORTANT]
-> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+> This CSP contains some settings that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These settings are subject to change and may have dependencies on other features or services in preview.
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index fe053e7544..d77060ac98 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -23,7 +23,7 @@ ms.topic: reference
 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
 
 > [!NOTE]
-> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Azure Active Directory LAPS scenario, see [Windows LAPS availability and Azure AD LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
+> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Microsoft Entra LAPS scenario, see [Windows LAPS availability and Microsoft Entra LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
 
 > [!TIP]
 > This article covers the specific technical details of the LAPS CSP.  For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
@@ -449,7 +449,7 @@ Use this setting to configure which directory the local admin account password i
 The allowable settings are:
 
 0=Disabled (password won't be backed up)
-1=Backup the password to Azure AD only
+1=Backup the password to Microsoft Entra-only
 2=Backup the password to Active Directory only.
 
 If not specified, this setting will default to 0.
@@ -475,7 +475,7 @@ If not specified, this setting will default to 0.
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Disabled (password won't be backed up). |
-| 1 | Backup the password to Azure AD only. |
+| 1 | Backup the password to Microsoft Entra-only. |
 | 2 | Backup the password to Active Directory only. |
 <!-- Device-Policies-BackupDirectory-AllowedValues-End -->
 
@@ -506,7 +506,7 @@ Use this policy to configure the maximum password age of the managed local admin
 
 If not specified, this setting will default to 30 days.
 
-This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD.
+This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
 
 This setting has a maximum allowed value of 365 days.
 <!-- Device-Policies-PasswordAgeDays-Description-End -->
@@ -806,7 +806,7 @@ This setting has a maximum allowed value of 24 hours.
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 ## Settings Applicability
 
-The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
+The LAPS CSP can be used to manage devices that are either joined to Microsoft Entra ID or joined to both Microsoft Entra ID and Active Directory (hybrid-joined). The LAPS CSP manages a mix of Microsoft Entra-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
 
 | Setting name                        | Azure-joined | Hybrid-joined |
 |-------------------------------------|--------------|---------------|
@@ -828,9 +828,11 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or
 
 The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
 
-### Azure-joined device backing password up to Azure AD
+<a name='azure-joined-device-backing-password-up-to-azure-ad'></a>
 
-This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory:
+### Azure-joined device backing password up to Microsoft Entra ID
+
+This example shows how to configure an Azure-joined device to back up its password to Microsoft Entra ID:
 
 ```xml
 <SyncMl xmlns="SYNCML:SYNCML1.2">
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 591e23f3dc..cc5a8c8ada 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -32,9 +32,9 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Microsoft Entra joined. Currently, this CSP is not supported on the following devices:
 >
-> - Azure AD Hybrid joined devices.
+> - Microsoft Entra hybrid joined devices.
 > - Devices that use both GPO and CSP at the same time.
 >
 > The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index d5c2ebe843..29e995b12d 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -20,7 +20,7 @@ ms.topic: reference
 
 <!-- PassportForWork-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Microsoft Entra account and replace passwords, smartcards, and virtual smart cards.
 
 > [!IMPORTANT]
 > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
@@ -32,6 +32,7 @@ The following list shows the PassportForWork configuration service provider node
 - ./Device/Vendor/MSFT/PassportForWork
   - [{TenantId}](#devicetenantid)
     - [Policies](#devicetenantidpolicies)
+      - [DisablePostLogonCredentialCaching](#devicetenantidpoliciesdisablepostlogoncredentialcaching)
       - [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
       - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
       - [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
@@ -164,6 +165,55 @@ Root node for policies.
 
 <!-- Device-{TenantId}-Policies-End -->
 
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Begin -->
+#### Device/{TenantId}/Policies/DisablePostLogonCredentialCaching
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Applicability-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonCredentialCaching
+```
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-OmaUri-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Description-Begin -->
+<!-- Description-Source-DDF -->
+Disable caching of the Windows Hello for Business credential after sign-in.
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Description-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Editable-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | False |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-DFProperties-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disabled. |
+| true | Enabled. |
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-AllowedValues-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-Examples-End -->
+
+<!-- Device-{TenantId}-Policies-DisablePostLogonCredentialCaching-End -->
+
 <!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Begin -->
 #### Device/{TenantId}/Policies/DisablePostLogonProvisioning
 
@@ -1069,9 +1119,9 @@ Windows Hello for Business can use certificates to authenticate to on-premise re
 
 <!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-Begin -->
 <!-- Description-Source-DDF -->
-Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+Boolean value that enables Windows Hello for Business to use Microsoft Entra Kerberos to authenticate to on-premises resources.
 
-- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+- If you enable this policy setting, Windows Hello for Business will use a Microsoft Entra Kerberos ticket to authenticate to on-premises resources. The Microsoft Entra Kerberos ticket is returned to the client after a successful authentication to Microsoft Entra ID if Microsoft Entra Kerberos is enabled for the tenant and domain.
 
 - If you disable or don't configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
 <!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-End -->
@@ -1176,7 +1226,7 @@ Windows requires a user to lock and unlock their session after changing this set
 
 <!-- Device-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
 <!-- Description-Source-DDF -->
-Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
 
 - If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
 
@@ -2503,7 +2553,7 @@ A Trusted Platform Module (TPM) provides additional security benefits over softw
 
 <!-- User-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
 <!-- Description-Source-DDF -->
-Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
+Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
 
 - If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
 
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 8a2ac551bc..6cfc4fabfc 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/02/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -892,6 +892,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
             </MSFT:AllowedValues>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisablePostLogonCredentialCaching</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>False</DefaultValue>
+            <Description>Disable caching of the Windows Hello for Business credential after sign-in.</Description>
+            <DFFormat>
+              <bool />
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+            <MSFT:Applicability>
+              <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+              <MSFT:CspVersion>1.6</MSFT:CspVersion>
+            </MSFT:Applicability>
+            <MSFT:AllowedValues ValueType="ENUM">
+              <MSFT:Enum>
+                <MSFT:Value>false</MSFT:Value>
+                <MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
+              </MSFT:Enum>
+              <MSFT:Enum>
+                <MSFT:Value>true</MSFT:Value>
+                <MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
+              </MSFT:Enum>
+            </MSFT:AllowedValues>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>UseCertificateForOnPremAuth</NodeName>
           <DFProperties>
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index b1d980b61f..bc9ea26ab4 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/07/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2144,6 +2144,7 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [EnableAdditionalSources](policy-csp-desktopappinstaller.md)
 - [EnableAllowedSources](policy-csp-desktopappinstaller.md)
 - [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
 
 ## DeviceInstallation
 
@@ -2182,6 +2183,11 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md)
 - [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md)
 
+## FileSystem
+
+- [EnableDevDrive](policy-csp-filesystem.md)
+- [DevDriveAttachPolicy](policy-csp-filesystem.md)
+
 ## InternetExplorer
 
 - [AddSearchProvider](policy-csp-internetexplorer.md)
@@ -2411,7 +2417,10 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
 - [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
 - [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [IntranetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
 - [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneLogonOptions](policy-csp-internetexplorer.md)
 - [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
 - [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
 - [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 28d800cc4a..a1d5758c14 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -383,10 +383,18 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md)
 - [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md)
 - [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DigitallySignSecureChannelDataWhenPossible](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
+- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
 - [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@@ -394,11 +402,13 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
 - [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md)
@@ -412,8 +422,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
 - [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md)
+- [RecoveryConsole_AllowAutomaticAdministrativeLogon](policy-csp-localpoliciessecurityoptions.md)
 - [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md)
 - [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md)
+- [SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
 - [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
@@ -836,6 +848,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md)
 - [AllowInternetSharing](policy-csp-wifi.md)
 
+## WindowsAI
+
+- [TurnOffWindowsCopilot](policy-csp-windowsai.md)
+
 ## WindowsDefenderSecurityCenter
 
 - [CompanyName](policy-csp-windowsdefendersecuritycenter.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index ac553b2f8e..7e755cbccd 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 27e164c141..f7695f6a8a 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1118,6 +1118,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
 - [ExploitGuard](policy-csp-exploitguard.md)
 - [FederatedAuthentication](policy-csp-federatedauthentication.md)
 - [FileExplorer](policy-csp-fileexplorer.md)
+- [FileSystem](policy-csp-filesystem.md)
 - [Games](policy-csp-games.md)
 - [Handwriting](policy-csp-handwriting.md)
 - [HumanPresence](policy-csp-humanpresence.md)
@@ -1175,6 +1176,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
 - [VirtualizationBasedTechnology](policy-csp-virtualizationbasedtechnology.md)
 - [WebThreatDefense](policy-csp-webthreatdefense.md)
 - [Wifi](policy-csp-wifi.md)
+- [WindowsAI](policy-csp-windowsai.md)
 - [WindowsAutopilot](policy-csp-windowsautopilot.md)
 - [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md)
 - [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index 289c643dd9..e1194939bb 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -46,8 +46,8 @@ If you disable or don't configure this policy setting, then Microsoft won't be a
 
 <!-- CommercialIdPolicy-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!IMPORTANT]
-> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> [!NOTE]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
 <!-- CommercialIdPolicy-Editable-End -->
 
 <!-- CommercialIdPolicy-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 7cdc026046..f462eeaba0 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -3239,7 +3239,12 @@ This policy setting allows you to configure heuristics. Suspicious detections wi
 <!-- Scan_DisablePackedExeScanning-OmaUri-End -->
 
 <!-- Scan_DisablePackedExeScanning-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to configure scanning for packed executables. It's recommended that this type of scanning remain enabled.
+
+- If you enable or don't configure this setting, packed executables will be scanned.
+
+- If you disable this setting, packed executables won't be scanned.
 <!-- Scan_DisablePackedExeScanning-Description-End -->
 
 <!-- Scan_DisablePackedExeScanning-Editable-Begin -->
@@ -3256,7 +3261,6 @@ This policy setting allows you to configure heuristics. Suspicious detections wi
 <!-- Scan_DisablePackedExeScanning-DFProperties-End -->
 
 <!-- Scan_DisablePackedExeScanning-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -3264,6 +3268,11 @@ This policy setting allows you to configure heuristics. Suspicious detections wi
 | Name | Value |
 |:--|:--|
 | Name | Scan_DisablePackedExeScanning |
+| Friendly Name | Scan packed executables |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisablePackedExeScanning |
 | ADMX File Name | WindowsDefender.admx |
 <!-- Scan_DisablePackedExeScanning-AdmxBacked-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index f6b11c6d2b..19a7dcb36f 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -269,7 +269,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
 <!-- NCSI_DomainLocationDeterminationUrl-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Azure AD only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
+> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Microsoft Entra-only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
 <!-- NCSI_DomainLocationDeterminationUrl-Editable-End -->
 
 <!-- NCSI_DomainLocationDeterminationUrl-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index 845fe646f5..690350461f 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2457,6 +2457,9 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
 - If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host.
 
 - If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level.
+
+> [!NOTE]
+> AAD Per User mode is deprecated on Windows 11 and above.
 <!-- TS_LICENSING_MODE-Description-End -->
 
 <!-- TS_LICENSING_MODE-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 0d8d931bf2..7796c7da9d 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
 
 <!-- DefaultAssociationsConfiguration-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Microsoft Entra joined, the associations assigned in SyncML will be processed and default associations will be applied.
 <!-- DefaultAssociationsConfiguration-Description-End -->
 
 <!-- DefaultAssociationsConfiguration-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 1a51901f9e..e94015c259 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -39,13 +39,13 @@ ms.topic: reference
 
 <!-- AllowAadPasswordReset-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether password reset is enabled for AAD accounts.
+Specifies whether password reset is enabled for Microsoft Entra accounts.
 <!-- AllowAadPasswordReset-Description-End -->
 
 <!-- AllowAadPasswordReset-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
+This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
 <!-- AllowAadPasswordReset-Editable-End -->
 
 <!-- AllowAadPasswordReset-DFProperties-Begin -->
@@ -262,7 +262,7 @@ Specifies a list of domains that are allowed to access the webcam in Web Sign-in
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!NOTE]
-> Web sign-in is only supported on Azure AD joined PCs.
+> Web sign-in is only supported on Microsoft Entra joined PCs.
 <!-- ConfigureWebcamAccessDomainNames-Editable-End -->
 
 <!-- ConfigureWebcamAccessDomainNames-DFProperties-Begin -->
@@ -312,7 +312,7 @@ Specifies a list of URLs that are navigable in Web Sign-in based authentication
 
 This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
 
-- Azure Active Directory (Azure AD) PIN reset
+- Microsoft Entra ID PIN reset
 - Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
 
 > [!NOTE]
@@ -358,13 +358,13 @@ Your organization's PIN reset or web sign-in authentication flow is expected to
 
 <!-- EnableFastFirstSignIn-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts.
+Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.
 <!-- EnableFastFirstSignIn-Description-End -->
 
 <!-- EnableFastFirstSignIn-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
+This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.
 
 > [!IMPORTANT]
 > Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
@@ -386,8 +386,8 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
 | Value | Description |
 |:--|:--|
 | 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
-| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. |
-| 2 | Disabled. Don't auto-connect new non-admin Azure AD accounts to pre-configured local accounts. |
+| 1 | Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts. |
+| 2 | Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts. |
 <!-- EnableFastFirstSignIn-AllowedValues-End -->
 
 <!-- EnableFastFirstSignIn-Examples-Begin -->
@@ -470,12 +470,12 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!WARNING]
-> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope.
+> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Microsoft Entra ID, unless it's used in a limited federated scope.
 
-**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass.
+**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Microsoft Entra credentials, like temporary access pass.
 
 > [!NOTE]
-> Web sign-in is only supported on Azure AD joined PCs.
+> Web sign-in is only supported on Microsoft Entra joined PCs.
 <!-- EnableWebSignIn-Editable-End -->
 
 <!-- EnableWebSignIn-DFProperties-Begin -->
@@ -521,7 +521,7 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
 
 <!-- PreferredAadTenantDomainName-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies the preferred domain among available domains in the AAD tenant.
+Specifies the preferred domain among available domains in the Microsoft Entra tenant.
 <!-- PreferredAadTenantDomainName-Description-End -->
 
 <!-- PreferredAadTenantDomainName-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index 6fbb9672f7..66d7fcc0ad 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/14/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
 <!-- CloudDesktop-Begin -->
 # Policy CSP - CloudDesktop
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- CloudDesktop-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- CloudDesktop-Editable-End -->
@@ -28,7 +26,7 @@ ms.topic: reference
 <!-- BootToCloudMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
 <!-- BootToCloudMode-Applicability-End -->
 
 <!-- BootToCloudMode-OmaUri-Begin -->
@@ -77,7 +75,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
 <!-- SetMaxConnectionTimeout-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
 <!-- SetMaxConnectionTimeout-Applicability-End -->
 
 <!-- SetMaxConnectionTimeout-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 485f675610..4c27326f83 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -49,7 +49,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
 
 > [!NOTE]
-> This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
+> In Windows 10 version 1803, this policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1.
 
 The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
 
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 26ad80a56b..a5874803b9 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -4,7 +4,7 @@ description: Learn more about the Cryptography Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -228,7 +228,6 @@ Override minimal enabled TLS version for client role. Last write wins.
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
-| Default Value  | 1.0 |
 <!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-End -->
 
 <!-- OverrideMinimumEnabledDTLSVersionClient-Examples-Begin -->
@@ -268,7 +267,6 @@ Override minimal enabled TLS version for server role. Last write wins.
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
-| Default Value  | 1.0 |
 <!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-End -->
 
 <!-- OverrideMinimumEnabledDTLSVersionServer-Examples-Begin -->
@@ -308,7 +306,6 @@ Override minimal enabled TLS version for client role. Last write wins.
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
-| Default Value  | 1.0 |
 <!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-End -->
 
 <!-- OverrideMinimumEnabledTLSVersionClient-Examples-Begin -->
@@ -348,7 +345,6 @@ Override minimal enabled TLS version for server role. Last write wins.
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
-| Default Value  | 1.0 |
 <!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-End -->
 
 <!-- OverrideMinimumEnabledTLSVersionServer-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 7216ad6c03..325dcb5961 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1074,10 +1074,18 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
 - If you enable this setting, CPU utilization won't exceed the percentage specified.
 
 - If you disable or don't configure this setting, CPU utilization won't exceed the default value.
+
 <!-- AvgCPULoadFactor-Description-End -->
 
 <!-- AvgCPULoadFactor-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+
+> [!NOTE]
+> If you enable both of the following policies, then Windows ignores the value of **AvgCPULoadFactor**:
+> 
+> - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
+> - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
+
 <!-- AvgCPULoadFactor-Editable-End -->
 
 <!-- AvgCPULoadFactor-DFProperties-Begin -->
@@ -2902,7 +2910,9 @@ Valid remediation action values are:
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- Links -->
 [TAMPER-1]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+
 [TAMPER-2]: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-about-exclusions
+
 <!-- Defender-CspMoreInfo-End -->
 
 <!-- Defender-End -->
@@ -2910,3 +2920,4 @@ Valid remediation action values are:
 ## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)
+
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 2c24bd31ed..c8b37170cf 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -703,13 +703,13 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
 
 <!-- DOGroupIdSource-Description-Begin -->
 <!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
 <!-- DOGroupIdSource-Description-End -->
 
 <!-- DOGroupIdSource-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
+> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
 <!-- DOGroupIdSource-Editable-End -->
 
 <!-- DOGroupIdSource-DFProperties-Begin -->
@@ -732,7 +732,7 @@ Set this policy to restrict peer selection to a specific source. Available optio
 | 2 | Authenticated domain SID. |
 | 3 | DHCP user option. |
 | 4 | DNS suffix. |
-| 5 | AAD. |
+| 5 | Microsoft Entra ID. |
 <!-- DOGroupIdSource-AllowedValues-End -->
 
 <!-- DOGroupIdSource-GpMapping-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 0e8a4f4777..700a225113 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- DesktopAppInstaller-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DesktopAppInstaller-Editable-End -->
@@ -723,6 +725,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
 
 <!-- EnableSettings-End -->
 
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Begin -->
+## EnableWindowsPackageManagerCommandLineInterfaces
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Applicability-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces
+```
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-OmaUri-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Description-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Editable-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-DFProperties-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-Begin -->
+<!-- ADMX-Not-Found -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerCommandLineInterfaces |
+| ADMX File Name | DesktopAppInstaller.admx |
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-AdmxBacked-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-Examples-End -->
+
+<!-- EnableWindowsPackageManagerCommandLineInterfaces-End -->
+
 <!-- SourceAutoUpdateInterval-Begin -->
 ## SourceAutoUpdateInterval
 
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index aea8cbe4f0..3fbecc7fbe 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -352,7 +352,7 @@ When Find My Device is off, the device and its location aren't registered and th
 
 <!-- AllowManualMDMUnenrollment-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
+Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Microsoft Entra joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
 
 > [!NOTE]
 > The MDM server can always remotely delete the account. Most restricted value is 0.
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
index c16129a3eb..efda2740d9 100644
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -43,7 +43,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 <!-- EnableWebSignInForPrimaryUser-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> Web Sign-in is only supported on Azure AD Joined PCs.
+> Web Sign-in is only supported on Microsoft Entra joined PCs.
 <!-- EnableWebSignInForPrimaryUser-Editable-End -->
 
 <!-- EnableWebSignInForPrimaryUser-DFProperties-Begin -->
@@ -63,7 +63,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
 |:--|:--|
 | 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
 | 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
-| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. |
+| 2 | Disabled. Web Sign-in Credential Provider isn't be enabled for device sign-in. |
 <!-- EnableWebSignInForPrimaryUser-AllowedValues-End -->
 
 <!-- EnableWebSignInForPrimaryUser-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 3be567246d..75e9fb777f 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -4,7 +4,7 @@ description: Learn more about the FileExplorer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -145,7 +145,7 @@ When This PC location is restricted, give the user the option to enumerate and n
 
 <!-- DisableGraphRecentItems-Description-Begin -->
 <!-- Description-Source-ADMX -->
-Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.
+Turning off this setting will prevent File Explorer from requesting cloud file metadata and displaying it in the homepage and other views in File Explorer. Any insights and files available based on account activity will be stopped in views such as Recent, Recommended, Favorites, etc.
 <!-- DisableGraphRecentItems-Description-End -->
 
 <!-- DisableGraphRecentItems-Editable-Begin -->
@@ -167,8 +167,8 @@ Turning off files from Office.com will prevent File Explorer from requesting rec
 
 | Value | Description |
 |:--|:--|
-| 0 (Default) | File Explorer will request cloud file metadata and display it in the Quick access view. |
-| 1 | File Explorer won't request cloud file metadata or display it in the Quick access view. |
+| 0 (Default) | File Explorer will request cloud file metadata and display it in the homepage and other views. |
+| 1 | File Explorer won't request cloud file metadata or display it in the homepage or other views. |
 <!-- DisableGraphRecentItems-AllowedValues-End -->
 
 <!-- DisableGraphRecentItems-GpMapping-Begin -->
@@ -177,7 +177,7 @@ Turning off files from Office.com will prevent File Explorer from requesting rec
 | Name | Value |
 |:--|:--|
 | Name | DisableGraphRecentItems |
-| Friendly Name | Turn off files from Office.com in Quick access view |
+| Friendly Name | Turn off account-based insights, recent, favorite, and recommended files in File Explorer |
 | Location | Computer Configuration |
 | Path | WindowsComponents > File Explorer |
 | Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
diff --git a/windows/client-management/mdm/policy-csp-filesystem.md b/windows/client-management/mdm/policy-csp-filesystem.md
new file mode 100644
index 0000000000..57ec3f91e0
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-filesystem.md
@@ -0,0 +1,152 @@
+---
+title: FileSystem Policy CSP
+description: Learn more about the FileSystem Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 08/30/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- FileSystem-Begin -->
+# Policy CSP - FileSystem
+
+[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+<!-- FileSystem-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- FileSystem-Editable-End -->
+
+<!-- DevDriveAttachPolicy-Begin -->
+## DevDriveAttachPolicy
+
+<!-- DevDriveAttachPolicy-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- DevDriveAttachPolicy-Applicability-End -->
+
+<!-- DevDriveAttachPolicy-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/FileSystem/DevDriveAttachPolicy
+```
+<!-- DevDriveAttachPolicy-OmaUri-End -->
+
+<!-- DevDriveAttachPolicy-Description-Begin -->
+<!-- Description-Source-ADMX -->
+Dev drive is a drive optimized for performance considering developer scenarios and by default no file system filters are attached to it. Filters listed in this setting will be allowed to attach even on a dev drive.
+
+A reboot is required for this setting to take effect.
+<!-- DevDriveAttachPolicy-Description-End -->
+
+<!-- DevDriveAttachPolicy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DevDriveAttachPolicy-Editable-End -->
+
+<!-- DevDriveAttachPolicy-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DevDriveAttachPolicy-DFProperties-End -->
+
+<!-- DevDriveAttachPolicy-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DevDriveAttachPolicy |
+| Friendly Name | Dev drive filter attach policy |
+| Location | Computer Configuration |
+| Path | System > Filesystem |
+| Registry Key Name | System\CurrentControlSet\Policies |
+| ADMX File Name | filtermanager.admx |
+<!-- DevDriveAttachPolicy-AdmxBacked-End -->
+
+<!-- DevDriveAttachPolicy-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DevDriveAttachPolicy-Examples-End -->
+
+<!-- DevDriveAttachPolicy-End -->
+
+<!-- EnableDevDrive-Begin -->
+## EnableDevDrive
+
+<!-- EnableDevDrive-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- EnableDevDrive-Applicability-End -->
+
+<!-- EnableDevDrive-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/FileSystem/EnableDevDrive
+```
+<!-- EnableDevDrive-OmaUri-End -->
+
+<!-- EnableDevDrive-Description-Begin -->
+<!-- Description-Source-ADMX -->
+Dev drive or developer volume is a volume optimized for performance of developer scenarios. A developer volume allows an administrator to choose file system filters that are attached on the volume.
+
+Disabling this setting will disallow creation of new developer volumes, existing developer volumes will mount as regular volumes.
+
+If this setting isn't configured the default policy is to enable developer volumes while allowing antivirus filter to attach on a deveveloper volume. Further, if not configured, a local administrator can choose to not have antivirus filter attached to a developer volume.
+
+A reboot is required for this setting to take effect.
+<!-- EnableDevDrive-Description-End -->
+
+<!-- EnableDevDrive-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableDevDrive-Editable-End -->
+
+<!-- EnableDevDrive-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EnableDevDrive-DFProperties-End -->
+
+<!-- EnableDevDrive-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableDevDrive |
+| Friendly Name | Enable dev drive |
+| Location | Computer Configuration |
+| Path | System > Filesystem |
+| Registry Key Name | System\CurrentControlSet\Policies |
+| Registry Value Name | FsEnableDevDrive |
+| ADMX File Name | refs.admx |
+<!-- EnableDevDrive-AdmxBacked-End -->
+
+<!-- EnableDevDrive-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableDevDrive-Examples-End -->
+
+<!-- EnableDevDrive-End -->
+
+<!-- FileSystem-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- FileSystem-CspMoreInfo-End -->
+
+<!-- FileSystem-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index e0cc0d9db0..6584e6372b 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -4,7 +4,7 @@ description: Learn more about the HumanPresence Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -38,8 +38,8 @@ ms.topic: reference
 <!-- ForceAllowDimWhenExternalDisplayConnected-OmaUri-End -->
 
 <!-- ForceAllowDimWhenExternalDisplayConnected-Description-Begin -->
-<!-- Description-Source-DDF -->
-Determines whether Allow Adaptive Dimming When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+<!-- Description-Source-ADMX -->
+Determines whether Allow Adaptive Dimming When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForceAllowDimWhenExternalDisplayConnected-Description-End -->
 
 <!-- ForceAllowDimWhenExternalDisplayConnected-Editable-Begin -->
@@ -72,7 +72,12 @@ Determines whether Allow Adaptive Dimming When External Display Connected checkb
 | Name | Value |
 |:--|:--|
 | Name | ForceAllowDimWhenExternalDisplayConnected |
-| Path | Sensors > AT > WindowsComponents > HumanPresence |
+| Friendly Name | Force Allow Dim When External Display Connected |
+| Location | Computer Configuration |
+| Path | Windows Components > Human Presence |
+| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
+| Registry Value Name | ForceAllowDimWhenExternalDisplayConnected |
+| ADMX File Name | Sensors.admx |
 <!-- ForceAllowDimWhenExternalDisplayConnected-GpMapping-End -->
 
 <!-- ForceAllowDimWhenExternalDisplayConnected-Examples-Begin -->
@@ -97,8 +102,8 @@ Determines whether Allow Adaptive Dimming When External Display Connected checkb
 <!-- ForceAllowLockWhenExternalDisplayConnected-OmaUri-End -->
 
 <!-- ForceAllowLockWhenExternalDisplayConnected-Description-Begin -->
-<!-- Description-Source-DDF -->
-Determines whether Allow Lock on Leave When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
+<!-- Description-Source-ADMX -->
+Determines whether Allow Lock on Leave When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForceAllowLockWhenExternalDisplayConnected-Description-End -->
 
 <!-- ForceAllowLockWhenExternalDisplayConnected-Editable-Begin -->
@@ -131,7 +136,12 @@ Determines whether Allow Lock on Leave When External Display Connected checkbox
 | Name | Value |
 |:--|:--|
 | Name | ForceAllowLockWhenExternalDisplayConnected |
-| Path | Sensors > AT > WindowsComponents > HumanPresence |
+| Friendly Name | Force Allow Lock When External Display Connected |
+| Location | Computer Configuration |
+| Path | Windows Components > Human Presence |
+| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
+| Registry Value Name | ForceAllowLockWhenExternalDisplayConnected |
+| ADMX File Name | Sensors.admx |
 <!-- ForceAllowLockWhenExternalDisplayConnected-GpMapping-End -->
 
 <!-- ForceAllowLockWhenExternalDisplayConnected-Examples-Begin -->
@@ -156,7 +166,7 @@ Determines whether Allow Lock on Leave When External Display Connected checkbox
 <!-- ForceAllowWakeWhenExternalDisplayConnected-OmaUri-End -->
 
 <!-- ForceAllowWakeWhenExternalDisplayConnected-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 Determines whether Allow Wake on Approach When External Display Connected checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForceAllowWakeWhenExternalDisplayConnected-Description-End -->
 
@@ -190,7 +200,12 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
 | Name | Value |
 |:--|:--|
 | Name | ForceAllowWakeWhenExternalDisplayConnected |
-| Path | Sensors > AT > WindowsComponents > HumanPresence |
+| Friendly Name | Force Allow Wake When External Display Connected |
+| Location | Computer Configuration |
+| Path | Windows Components > Human Presence |
+| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
+| Registry Value Name | ForceAllowWakeWhenExternalDisplayConnected |
+| ADMX File Name | Sensors.admx |
 <!-- ForceAllowWakeWhenExternalDisplayConnected-GpMapping-End -->
 
 <!-- ForceAllowWakeWhenExternalDisplayConnected-Examples-Begin -->
@@ -215,7 +230,7 @@ Determines whether Allow Wake on Approach When External Display Connected checkb
 <!-- ForceDisableWakeWhenBatterySaverOn-OmaUri-End -->
 
 <!-- ForceDisableWakeWhenBatterySaverOn-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 Determines whether Disable Wake on Approach When Battery Saver On checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
 <!-- ForceDisableWakeWhenBatterySaverOn-Description-End -->
 
@@ -249,7 +264,12 @@ Determines whether Disable Wake on Approach When Battery Saver On checkbox is fo
 | Name | Value |
 |:--|:--|
 | Name | ForceDisableWakeWhenBatterySaverOn |
-| Path | Sensors > AT > WindowsComponents > HumanPresence |
+| Friendly Name | Force Disable Wake When Battery Saver On |
+| Location | Computer Configuration |
+| Path | Windows Components > Human Presence |
+| Registry Key Name | Software\Policies\Microsoft\HumanPresence |
+| Registry Value Name | ForceDisableWakeWhenBatterySaverOn |
+| ADMX File Name | Sensors.admx |
 <!-- ForceDisableWakeWhenBatterySaverOn-GpMapping-End -->
 
 <!-- ForceDisableWakeWhenBatterySaverOn-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index c0b5145841..d707b4af93 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- InternetExplorer-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- InternetExplorer-Editable-End -->
@@ -7727,6 +7729,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- IntranetZoneJavaPermissions-End -->
 
+<!-- IntranetZoneLogonOptions-Begin -->
+## IntranetZoneLogonOptions
+
+<!-- IntranetZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- IntranetZoneLogonOptions-Applicability-End -->
+
+<!-- IntranetZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneLogonOptions
+```
+<!-- IntranetZoneLogonOptions-OmaUri-End -->
+
+<!-- IntranetZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.
+<!-- IntranetZoneLogonOptions-Description-End -->
+
+<!-- IntranetZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IntranetZoneLogonOptions-Editable-End -->
+
+<!-- IntranetZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IntranetZoneLogonOptions-DFProperties-End -->
+
+<!-- IntranetZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_3 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
+| ADMX File Name | inetres.admx |
+<!-- IntranetZoneLogonOptions-AdmxBacked-End -->
+
+<!-- IntranetZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IntranetZoneLogonOptions-Examples-End -->
+
+<!-- IntranetZoneLogonOptions-End -->
+
 <!-- IntranetZoneNavigateWindowsAndFrames-Begin -->
 ## IntranetZoneNavigateWindowsAndFrames
 
@@ -8730,6 +8804,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- LocalMachineZoneJavaPermissions-End -->
 
+<!-- LocalMachineZoneLogonOptions-Begin -->
+## LocalMachineZoneLogonOptions
+
+<!-- LocalMachineZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- LocalMachineZoneLogonOptions-Applicability-End -->
+
+<!-- LocalMachineZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneLogonOptions
+```
+<!-- LocalMachineZoneLogonOptions-OmaUri-End -->
+
+<!-- LocalMachineZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+<!-- LocalMachineZoneLogonOptions-Description-End -->
+
+<!-- LocalMachineZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LocalMachineZoneLogonOptions-Editable-End -->
+
+<!-- LocalMachineZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- LocalMachineZoneLogonOptions-DFProperties-End -->
+
+<!-- LocalMachineZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_9 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
+| ADMX File Name | inetres.admx |
+<!-- LocalMachineZoneLogonOptions-AdmxBacked-End -->
+
+<!-- LocalMachineZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- LocalMachineZoneLogonOptions-Examples-End -->
+
+<!-- LocalMachineZoneLogonOptions-End -->
+
 <!-- LocalMachineZoneNavigateWindowsAndFrames-Begin -->
 ## LocalMachineZoneNavigateWindowsAndFrames
 
@@ -17229,6 +17375,78 @@ High Safety enables applets to run in their sandbox. Disable Java to prevent any
 
 <!-- TrustedSitesZoneJavaPermissions-End -->
 
+<!-- TrustedSitesZoneLogonOptions-Begin -->
+## TrustedSitesZoneLogonOptions
+
+<!-- TrustedSitesZoneLogonOptions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- TrustedSitesZoneLogonOptions-Applicability-End -->
+
+<!-- TrustedSitesZoneLogonOptions-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneLogonOptions
+```
+<!-- TrustedSitesZoneLogonOptions-OmaUri-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to manage settings for logon options.
+
+- If you enable this policy setting, you can choose from the following logon options.
+
+Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
+
+Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.
+
+Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.
+
+- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.
+
+- If you don't configure this policy setting, logon is set to Automatic logon with current username and password.
+<!-- TrustedSitesZoneLogonOptions-Description-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TrustedSitesZoneLogonOptions-Editable-End -->
+
+<!-- TrustedSitesZoneLogonOptions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- TrustedSitesZoneLogonOptions-DFProperties-End -->
+
+<!-- TrustedSitesZoneLogonOptions-AdmxBacked-Begin -->
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IZ_PolicyLogon_5 |
+| Friendly Name | Logon options |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
+| ADMX File Name | inetres.admx |
+<!-- TrustedSitesZoneLogonOptions-AdmxBacked-End -->
+
+<!-- TrustedSitesZoneLogonOptions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TrustedSitesZoneLogonOptions-Examples-End -->
+
+<!-- TrustedSitesZoneLogonOptions-End -->
+
 <!-- TrustedSitesZoneNavigateWindowsAndFrames-Begin -->
 ## TrustedSitesZoneNavigateWindowsAndFrames
 
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index cb861e1a11..60a01c822e 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -98,11 +98,11 @@ This policy setting defines the list of trusting forests that the Kerberos clien
 
 <!-- CloudKerberosTicketRetrievalEnabled-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.
+This policy setting allows retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon.
 
-- If you disable or don't configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket isn't retrieved during logon.
+- If you disable or don't configure this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket isn't retrieved during logon.
 
-- If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon.
+- If you enable this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket is retrieved during logon.
 <!-- CloudKerberosTicketRetrievalEnabled-Description-End -->
 
 <!-- CloudKerberosTicketRetrievalEnabled-Editable-Begin -->
@@ -134,7 +134,7 @@ This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Tick
 | Name | Value |
 |:--|:--|
 | Name | CloudKerberosTicketRetrievalEnabled |
-| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon |
+| Friendly Name | Allow retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon |
 | Location | Computer Configuration |
 | Path | System > Kerberos |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
@@ -781,8 +781,8 @@ The size of the context token buffer determines the maximum size of SSPI context
 
 <!-- UPNNameHints-Description-Begin -->
 <!-- Description-Source-DDF -->
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
+Devices joined to Microsoft Entra ID in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve a Microsoft Entra UPN into an Active Directory Principal.
+This parameter adds a list of domains that a Microsoft Entra joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
 <!-- UPNNameHints-Description-End -->
 
 <!-- UPNNameHints-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 9e5011246e..f3317c93af 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -367,6 +367,134 @@ Accounts: Rename guest account This security setting determines whether a differ
 
 <!-- Accounts_RenameGuestAccount-End -->
 
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Begin -->
+## Audit_AuditTheUseOfBackupAndRestoreprivilege
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_AuditTheUseOfBackupAndRestoreprivilege
+```
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Description-Begin -->
+<!-- Description-Source-DDF -->
+Audit: Audit the use of Backup and Restore privilege This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that's backed up or restored. If you disable this policy, then use of the Backup or Restore privilege isn't audited even when Audit privilege use is enabled.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation. Default: Disabled.
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Description-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Editable-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `b64` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: ``) |
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-End -->
+
+<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Begin -->
+## Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings
+```
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Description-Begin -->
+<!-- Description-Source-DDF -->
+Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they're joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. If the category level audit policy set here isn't consistent with the events that are currently being generated, the cause might be that this registry key is set. Default: Enabled.
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Description-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Editable-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-DFProperties-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Examples-End -->
+
+<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Begin -->
+## Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits
+```
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Description-Begin -->
+<!-- Description-Source-DDF -->
+Audit: Shut down system immediately if unable to log security audits This security setting determines whether the system shuts down if it's unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that's specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry can't be overwritten, and this security option is enabled, the following Stop error appears: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log isn't full.
+
+> [!NOTE]
+> On Windows versions prior to Windows Vista configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Description-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Editable-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-DFProperties-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Examples-End -->
+
+<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-End -->
+
 <!-- Devices_AllowedToFormatAndEjectRemovableMedia-Begin -->
 ## Devices_AllowedToFormatAndEjectRemovableMedia
 
@@ -588,6 +716,381 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
 
 <!-- Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly-End -->
 
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Begin -->
+## Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly
+```
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Description-Begin -->
+<!-- Description-Source-DDF -->
+Devices: Restrict floppy access to locally logged-on user only This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged-on interactively, the floppy can be accessed over the network. Default: This policy isn't defined and floppy disk drive access isn't restricted to the locally logged-on user.
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Description-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Editable-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-DFProperties-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Devices: Restrict floppy access to locally logged-on user only |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-GpMapping-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Examples-End -->
+
+<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Begin -->
+## DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+```
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel won't be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled.
+
+> [!NOTE]
+> If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Description-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Editable-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-DFProperties-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt or sign secure channel data (always) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-GpMapping-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Examples-End -->
+
+<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Begin -->
+## DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+```
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member won't attempt to negotiate secure channel encryption. Default: Enabled.
+
+> [!IMPORTANT]
+> There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+> [!NOTE]
+> Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Description-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Editable-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-DFProperties-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally encrypt secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-GpMapping-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Examples-End -->
+
+<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Begin -->
+## DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
+```
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Digitally sign secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. Default: Enabled.
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Description-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Editable-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-DFProperties-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Digitally sign secure channel data (when possible) |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-GpMapping-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Examples-End -->
+
+<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Begin -->
+## DomainMember_DisableMachineAccountPasswordChanges
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
+```
+<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer account password.
+
+- If this setting is enabled, the domain member doesn't attempt to change its computer account password.
+
+- If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Default: Disabled.
+
+> [!NOTE]
+> This security setting shouldn't be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it's established, the secure channel is used to transmit sensitive information that's necessary for making authentication and authorization decisions. This setting shouldn't be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Description-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Editable-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- DomainMember_DisableMachineAccountPasswordChanges-DFProperties-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Disable machine account password changes |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_DisableMachineAccountPasswordChanges-GpMapping-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_DisableMachineAccountPasswordChanges-Examples-End -->
+
+<!-- DomainMember_DisableMachineAccountPasswordChanges-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Begin -->
+## DomainMember_MaximumMachineAccountPasswordAge
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
+```
+<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Maximum machine account password age This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days.
+
+> [!IMPORTANT]
+> This setting applies to Windows 2000 computers, but it isn't available through the Security Configuration Manager tools on these computers.
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Description-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Editable-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value  | 30 |
+<!-- DomainMember_MaximumMachineAccountPasswordAge-DFProperties-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Maximum machine account password age |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_MaximumMachineAccountPasswordAge-GpMapping-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_MaximumMachineAccountPasswordAge-Examples-End -->
+
+<!-- DomainMember_MaximumMachineAccountPasswordAge-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Begin -->
+## DomainMember_RequireStrongSessionKey
+
+<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
+```
+<!-- DomainMember_RequireStrongSessionKey-OmaUri-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Description-Begin -->
+<!-- Description-Source-DDF -->
+Domain member: Require strong (Windows 2000 or later) session key This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Some or all of the information that's transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that's encrypted.
+
+- If this setting is enabled, then the secure channel won't be established unless 128-bit encryption can be performed.
+
+- If this setting is disabled, then the key strength is negotiated with the domain controller. Default: Enabled.
+
+> [!IMPORTANT]
+> In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+<!-- DomainMember_RequireStrongSessionKey-Description-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DomainMember_RequireStrongSessionKey-Editable-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- DomainMember_RequireStrongSessionKey-DFProperties-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Domain member: Require strong (Windows 2000 or later) session key |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- DomainMember_RequireStrongSessionKey-GpMapping-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DomainMember_RequireStrongSessionKey-Examples-End -->
+
+<!-- DomainMember_RequireStrongSessionKey-End -->
+
 <!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Begin -->
 ## InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
 
@@ -822,6 +1325,56 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
 
 <!-- InteractiveLogon_DoNotRequireCTRLALTDEL-End -->
 
+<!-- InteractiveLogon_MachineAccountThreshold-Begin -->
+## InteractiveLogon_MachineAccountThreshold
+
+<!-- InteractiveLogon_MachineAccountThreshold-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- InteractiveLogon_MachineAccountThreshold-Applicability-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold
+```
+<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-Description-Begin -->
+<!-- Description-Source-DDF -->
+Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
+<!-- InteractiveLogon_MachineAccountThreshold-Description-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- InteractiveLogon_MachineAccountThreshold-Editable-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value  | 0 |
+<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Interactive logon: Machine account lockout threshold |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- InteractiveLogon_MachineAccountThreshold-Examples-End -->
+
+<!-- InteractiveLogon_MachineAccountThreshold-End -->
+
 <!-- InteractiveLogon_MachineInactivityLimit-Begin -->
 ## InteractiveLogon_MachineInactivityLimit
 
@@ -972,6 +1525,87 @@ Interactive logon: Message title for users attempting to log on This security se
 
 <!-- InteractiveLogon_MessageTitleForUsersAttemptingToLogOn-End -->
 
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Begin -->
+## InteractiveLogon_NumberOfPreviousLogonsToCache
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_NumberOfPreviousLogonsToCache
+```
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-Begin -->
+<!-- Description-Source-DDF -->
+Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 10 |
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-DFProperties-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Examples-End -->
+
+<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Begin -->
+## InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_PromptUserToChangePasswordBeforeExpiration
+```
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Description-Begin -->
+<!-- Description-Source-DDF -->
+Interactive logon: Prompt user to change password before expiration Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that's sufficiently strong. Default: 5 days.
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Description-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Editable-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value  | 5 |
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-DFProperties-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Examples-End -->
+
+<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-End -->
+
 <!-- InteractiveLogon_SmartCardRemovalBehavior-Begin -->
 ## InteractiveLogon_SmartCardRemovalBehavior
 
@@ -1226,6 +1860,56 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
 
 <!-- MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers-End -->
 
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Begin -->
+## MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+```
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Description-Begin -->
+<!-- Description-Source-DDF -->
+Microsoft network server: Amount of idle time required before suspending a session This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Description-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Editable-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-15]` |
+| Default Value  | 15 |
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Microsoft network server: Amount of idle time required before suspending session |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Examples-End -->
+
+<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-End -->
+
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsAlways-Begin -->
 ## MicrosoftNetworkServer_DigitallySignCommunicationsAlways
 
@@ -1359,6 +2043,88 @@ Microsoft network server: Digitally sign communications (if client agrees) This
 
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-End -->
 
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Begin -->
+## MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire
+```
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Description-Begin -->
+<!-- Description-Source-DDF -->
+Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled.
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Description-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Editable-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-DFProperties-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Examples-End -->
+
+<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Begin -->
+## MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel
+```
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Description-Begin -->
+<!-- Description-Source-DDF -->
+Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that's provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server. The options are: Off - the SPN isn't required or validated by the SMB server from a SMB client. Accept if provided by client - the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied. Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that's being requested to establish a connection. If no SPN is provided by client, or the SPN provided doesn't match, the session is denied. Default: Off All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505).
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Description-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Editable-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value  | 0 |
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-DFProperties-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Examples-End -->
+
+<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-End -->
+
 <!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Begin -->
 ## NetworkAccess_AllowAnonymousSIDOrNameTranslation
 
@@ -1540,6 +2306,227 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
 
 <!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares-End -->
 
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Begin -->
+## NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication
+```
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Don't allow storage of passwords and credentials for network authentication This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
+
+- If you enable this setting, Credential Manager doesn't store passwords and credentials on the computer.
+
+- If you disable or don't configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
+
+> [!NOTE]
+> When configuring this security setting, changes won't take effect until you restart Windows. Default: Disabled.
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Description-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Editable-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-DFProperties-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Examples-End -->
+
+<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Begin -->
+## NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+```
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Let Everyone permissions apply to anonymous users This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group don't apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. If this policy is enabled, the Everyone SID is added to the token that's created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. Default: Disabled.
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Description-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Editable-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-DFProperties-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Network access: Let Everyone permissions apply to anonymous users |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-GpMapping-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Examples-End -->
+
+<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Begin -->
+## NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_NamedPipesThatCanBeAccessedAnonymously
+```
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Named pipes that can be accessed anonymously This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Default: None.
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Description-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Editable-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-End -->
+
+<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Begin -->
+## NetworkAccess_RemotelyAccessibleRegistryPaths
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPaths
+```
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Remotely accessible registry paths This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> This security setting isn't available on earlier versions of Windows. The security setting that appears on computers running Windows XP, &quot;Network access: Remotely accessible registry paths&quot; corresponds to the &quot;Network access: Remotely accessible registry paths and subpaths&quot; security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths.
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Description-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Editable-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Begin -->
+## NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths
+```
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Remotely accessible registry paths and subpaths This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\Wins Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
+
+> [!NOTE]
+> On Windows XP, this security setting was called "Network access: Remotely accessible registry paths". If you configure this setting on a member of the Windows Server 2003 family that's joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths.
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Description-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Editable-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-End -->
+
+<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-End -->
+
 <!-- NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares-Begin -->
 ## NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
 
@@ -1646,6 +2633,130 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
 
 <!-- NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM-End -->
 
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Begin -->
+## NetworkAccess_SharesThatCanBeAccessedAnonymously
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharesThatCanBeAccessedAnonymously
+```
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Shares that can be accessed anonymously This security setting determines which network shares can accessed by anonymous users. Default: None specified.
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Description-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Editable-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-End -->
+
+<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Begin -->
+## NetworkAccess_SharingAndSecurityModelForLocalAccounts
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_SharingAndSecurityModelForLocalAccounts
+```
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network access: Sharing and security model for local accounts This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify. Default on domain computers: Classic. Default on stand-alone computers: Guest only Important With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.
+
+> [!NOTE]
+> This setting doesn't affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services. Remote Desktop Services was called Terminal Services in previous versions of Windows Server. This policy will have no impact on computers running Windows 2000. When the computer isn't joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that's being used.
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Description-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Editable-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-DFProperties-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Examples-End -->
+
+<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Begin -->
+## NetworkSecurity_AllowLocalSystemNULLSessionFallback
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemNULLSessionFallback
+```
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network security: Allow LocalSystem NULL session fallback Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7.
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Description-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Editable-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-DFProperties-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Examples-End -->
+
+<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-End -->
+
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-Begin -->
 ## NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
 
@@ -1961,6 +3072,53 @@ Network security LAN Manager authentication level This security setting determin
 
 <!-- NetworkSecurity_LANManagerAuthenticationLevel-End -->
 
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Begin -->
+## NetworkSecurity_LDAPClientSigningRequirements
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_LDAPClientSigningRequirements
+```
+<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Description-Begin -->
+<!-- Description-Source-DDF -->
+Network security: LDAP client signing requirements This security setting determines the level of data signing that's requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) hasn't been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response doesn't indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.
+
+> [!CAUTION]
+> If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.
+
+> [!NOTE]
+> This setting doesn't have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller. Default: Negotiate signing.
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Description-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Editable-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value  | 0 |
+<!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-End -->
+
+<!-- NetworkSecurity_LDAPClientSigningRequirements-End -->
+
 <!-- NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients-Begin -->
 ## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
 
@@ -2320,6 +3478,97 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
 
 <!-- NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers-End -->
 
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Begin -->
+## RecoveryConsole_AllowAutomaticAdministrativeLogon
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+```
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Description-Begin -->
+<!-- Description-Source-DDF -->
+Recovery console: Allow automatic administrative logon This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console doesn't require you to provide a password, and it automatically logs on to the system. Default: This policy isn't defined and automatic administrative logon isn't allowed.
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Description-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Editable-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-DFProperties-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Recovery console: Allow automatic administrative logon |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-GpMapping-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Examples-End -->
+
+<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Begin -->
+## RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders
+```
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Description-Begin -->
+<!-- Description-Source-DDF -->
+Recovery console: Allow floppy copy and access to all drives and all folders Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on the computer. AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. NoCopyPrompt: Don't prompt when overwriting an existing file. Default: This policy isn't defined and the recover console SET command isn't available.
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Description-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Editable-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 0 |
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-DFProperties-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Examples-End -->
+
+<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-End -->
+
 <!-- Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn-Begin -->
 ## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
 
@@ -2436,6 +3685,138 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
 
 <!-- Shutdown_ClearVirtualMemoryPageFile-End -->
 
+<!-- SystemCryptography_ForceStrongKeyProtection-Begin -->
+## SystemCryptography_ForceStrongKeyProtection
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemCryptography_ForceStrongKeyProtection
+```
+<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Description-Begin -->
+<!-- Description-Source-DDF -->
+System Cryptography: Force strong key protection for user keys stored on the computer This security setting determines if users' private keys require a password to be used. The options are: User input isn't required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public key infrastructure. Default: This policy isn't defined.
+<!-- SystemCryptography_ForceStrongKeyProtection-Description-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SystemCryptography_ForceStrongKeyProtection-Editable-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2]` |
+| Default Value  | 0 |
+<!-- SystemCryptography_ForceStrongKeyProtection-DFProperties-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SystemCryptography_ForceStrongKeyProtection-Examples-End -->
+
+<!-- SystemCryptography_ForceStrongKeyProtection-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Begin -->
+## SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+```
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Description-Begin -->
+<!-- Description-Source-DDF -->
+System objects: Require case insensitivity for non-Windows subsystems This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting doesn't allow the Win32 subsystem to become case sensitive. Default: Enabled.
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Description-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Editable-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-DFProperties-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | System objects: Require case insensitivity for non-Windows subsystems |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-GpMapping-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Examples-End -->
+
+<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Begin -->
+## SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects
+```
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Description-Begin -->
+<!-- Description-Source-DDF -->
+System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who aren't administrators to read shared objects but not allowing these users to modify shared objects that they didn't create. Default: Enabled.
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Description-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Editable-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-DFProperties-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Examples-End -->
+
+<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-End -->
+
 <!-- UserAccountControl_AllowUIAccessApplicationsToPromptForElevation-Begin -->
 ## UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
 
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 678047a74c..1ae1768b2e 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -54,7 +54,7 @@ members that aren't specified in the policy are removed.
 <!-- Configure-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
+> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Microsoft Entra groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
 >
 > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersAndGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
 <!-- Configure-Editable-End -->
@@ -166,21 +166,21 @@ where:
 
     > [!NOTE]
     > When specifying member names of the user accounts, you must use following format - AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
-For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
+For adding Microsoft Entra groups, you need to specify the Microsoft Entra group SID. Microsoft Entra group names are not supported with this policy.
 For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
 
 See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
 
 > [!IMPORTANT]
 >
-> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
+> - `<add member>` and `<remove member>` can use a Microsoft Entra SID or the user's name. For adding or removing Microsoft Entra groups using this policy, you must use the group's SID. Microsoft Entra group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
 > - When specifying a SID in the `<add member>` or `<remove member>`, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
 > - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
 > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
 
-**Example 1**: Azure Active Directory focused.
+**Example 1**: Microsoft Entra ID focused.
 
-The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
+The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with a Microsoft Entra account "bob@contoso.com" and a Microsoft Entra group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on a Microsoft Entra joined machine.
 
 ```xml
 <GroupConfiguration>
@@ -192,7 +192,7 @@ The following example updates the built-in administrators group with the SID **S
 </GroupConfiguration>
 ```
 
-**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account.
+**Example 2**: Replace / Restrict the built-in administrators group with a Microsoft Entra user account.
 
 > [!NOTE]
 > When using the 'R' replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
@@ -209,7 +209,7 @@ The following example updates the built-in administrators group with the SID **S
 
 **Example 3**: Update action for adding and removing group members on a hybrid joined machine.
 
-The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
+The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Microsoft Entra group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
 ```xml
 <GroupConfiguration>
@@ -223,7 +223,7 @@ The following example shows how you can update a local group (**Administrators**
 ```
 
 > [!NOTE]
-> When Azure Active Directory group SID's are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+> When Microsoft Entra group SID's are added to local groups, Microsoft Entra account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
 >
 > - Administrators
 > - Users
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 00d0c1acb3..79b92833b7 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/29/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -42,24 +42,24 @@ These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-
 
 <!-- AADGroupMembershipCacheValidityInDays-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy controls for how many days, AAD group membership cache is allowed to be used for Assigned Access configurations targeting AAD groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
+This policy controls for how many days, Microsoft Entra group membership cache is allowed to be used for Assigned Access configurations targeting Microsoft Entra groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
 <!-- AADGroupMembershipCacheValidityInDays-Description-End -->
 
 <!-- AADGroupMembershipCacheValidityInDays-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Steps to use this policy correctly:
 
-1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices.
+1. Create a device configuration profile for kiosk, which targets Microsoft Entra groups. Assign it to the HoloLens devices.
 1. Create a custom OMA URI-based device configuration. Set this policy value to the chosen number of days greater than zero (`0`). Then assign the configuration to the HoloLens devices.
     - The URI value should be entered in OMA-URI text box as `./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays`
     - The value can be any integer in the allowed range.
 1. Enroll the HoloLens devices. Verify that both configurations apply to the device.
-1. When internet is available, sign in as an Azure AD user. Once the user signs-in, and Azure AD group membership is confirmed successfully, the cache will be created.
+1. When internet is available, sign in as a Microsoft Entra user. Once the user signs-in, and Microsoft Entra group membership is confirmed successfully, the cache will be created.
 1. You can now take the HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user. The key point is that any Azure AD user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of an Azure AD group to which the kiosk configuration is targeted.
+1. Steps 4 and 5 can be repeated for any other Microsoft Entra user. The key point is that any Microsoft Entra user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of a Microsoft Entra group to which the kiosk configuration is targeted.
 
 > [!NOTE]
-> Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment.
+> Until you do step 4 for a Microsoft Entra user, the user will experience failure behavior similar to a disconnected environment.
 <!-- AADGroupMembershipCacheValidityInDays-Editable-End -->
 
 <!-- AADGroupMembershipCacheValidityInDays-DFProperties-Begin -->
@@ -212,7 +212,7 @@ On a device where you configure this policy, the user specified in the policy ne
 > [!NOTE]
 >
 > - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior.
-> - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users.
+> - Auto-logon is only supported for Microsoft accounts and Microsoft Entra users.
 <!-- AutoLogonUser-Editable-End -->
 
 <!-- AutoLogonUser-DFProperties-Begin -->
@@ -490,6 +490,110 @@ The following XML string is an example of the value for this policy:
 
 <!-- ConfigureNtpClient-End -->
 
+<!-- ConfigureSharedAccount-Begin -->
+## ConfigureSharedAccount
+
+<!-- ConfigureSharedAccount-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- ConfigureSharedAccount-Applicability-End -->
+
+<!-- ConfigureSharedAccount-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureSharedAccount
+```
+<!-- ConfigureSharedAccount-OmaUri-End -->
+
+<!-- ConfigureSharedAccount-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are Microsoft Entra accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access Microsoft Entra resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
+<!-- ConfigureSharedAccount-Description-End -->
+
+<!-- ConfigureSharedAccount-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigureSharedAccount-Editable-End -->
+
+<!-- ConfigureSharedAccount-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ConfigureSharedAccount-DFProperties-End -->
+
+<!-- ConfigureSharedAccount-AllowedValues-Begin -->
+**Allowed values**:
+
+<br>
+<details>
+  <summary>Expand to see schema XML</summary>
+
+```xml
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <xsd:element name="SharedAccountConfiguration">
+    <xsd:complexType mixed="true">
+      <xsd:sequence>
+        <xsd:element minOccurs="1" maxOccurs="1" name="SharedAccount">
+          <xsd:complexType>
+            <xsd:sequence>
+              <xsd:choice>
+                <xsd:element name="IssuerThumbprint">
+                  <xsd:simpleType>
+                    <xsd:restriction base="xsd:string">
+                      <xsd:maxLength value="40" />
+                    </xsd:restriction>
+                  </xsd:simpleType>
+                </xsd:element>
+                <xsd:element name="IssuerName">
+                  <xsd:simpleType>
+                    <xsd:restriction base="xsd:string">
+                      <xsd:maxLength value="512" />
+                    </xsd:restriction>
+                  </xsd:simpleType>
+                </xsd:element>
+              </xsd:choice>
+              <xsd:element minOccurs="0" maxOccurs="1" name="EkuOidRequirements">
+                <xsd:complexType>
+                  <xsd:sequence>
+                    <xsd:element maxOccurs="5" name="Oid">
+                      <xsd:simpleType>
+                        <xsd:restriction base="xsd:string">
+                          <xsd:maxLength value="100" />
+                        </xsd:restriction>
+                      </xsd:simpleType>
+                    </xsd:element>
+                  </xsd:sequence>
+                </xsd:complexType>
+              </xsd:element>
+              <xsd:element minOccurs="0" maxOccurs="1" name="AutoLogon">
+                <xsd:complexType>
+                  <xsd:simpleContent>
+                    <xsd:extension base="xsd:string">
+                      <xsd:attribute name="forced" type="xsd:boolean" />
+                    </xsd:extension>
+                  </xsd:simpleContent>
+                </xsd:complexType>
+              </xsd:element>
+            </xsd:sequence>
+          </xsd:complexType>
+        </xsd:element>
+      </xsd:sequence>
+    </xsd:complexType>
+  </xsd:element>
+</xsd:schema>
+```
+
+</details>
+<!-- ConfigureSharedAccount-AllowedValues-End -->
+
+<!-- ConfigureSharedAccount-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigureSharedAccount-Examples-End -->
+
+<!-- ConfigureSharedAccount-End -->
+
 <!-- DisallowNetworkConnectivityPassivePolling-Begin -->
 ## DisallowNetworkConnectivityPassivePolling
 
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index 3fd43b32c1..c12b74e90f 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -4,7 +4,7 @@ description: Learn more about the Multitasking Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -37,9 +37,9 @@ ms.topic: reference
 
 <!-- BrowserAltTabBlowout-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting controls the inclusion of Microsoft Edge tabs into Alt+Tab.
+This setting controls the inclusion of app tabs into Alt+Tab.
 
-This can be set to show all tabs, the most recent 3 or 5 tabs, or no tabs from Microsoft Edge.
+This can be set to show the most recent 3, 5 or 20 tabs, or no tabs from apps.
 
 If this is set to show "Open windows only", the whole feature will be disabled.
 <!-- BrowserAltTabBlowout-Description-End -->
@@ -82,7 +82,7 @@ This policy only applies to the Alt+Tab switcher. When the policy isn't enabled,
 | Name | Value |
 |:--|:--|
 | Name | BrowserAltTabBlowout |
-| Friendly Name | Configure the inclusion of Microsoft Edge tabs into Alt-Tab |
+| Friendly Name | Configure the inclusion of app tabs into Alt-Tab |
 | Element Name | Pressing Alt + Tab shows. |
 | Location | User Configuration |
 | Path | Windows Components > Multitasking |
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 10ce383407..1f7b42377a 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -4,7 +4,7 @@ description: Learn more about the Notifications Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -38,8 +38,16 @@ ms.topic: reference
 <!-- DisableAccountNotifications-OmaUri-End -->
 
 <!-- DisableAccountNotifications-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile). Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription. If you enable this policy setting, Windows won't send account related notifications for local and MSA users to the user tile in Start.
+<!-- Description-Source-ADMX -->
+This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile).
+
+Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription.
+
+- If you enable this policy setting, Windows won't send account related notifications for local and MSA users to the user tile in Start.
+
+- If you disable or don't configure this policy setting, Windows will send account related notifications for local and MSA users to the user tile in Start.
+
+No reboots or service restarts are required for this policy setting to take effect.
 <!-- DisableAccountNotifications-Description-End -->
 
 <!-- DisableAccountNotifications-Editable-Begin -->
@@ -71,7 +79,12 @@ This policy allows you to prevent Windows from displaying notifications to Micro
 | Name | Value |
 |:--|:--|
 | Name | DisableAccountNotifications |
-| Path | AccountNotifications > AT > WindowsComponents > AccountNotifications |
+| Friendly Name | Turn off account notifications in Start |
+| Location | User Configuration |
+| Path | Windows Components > Account Notifications |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AccountNotifications |
+| Registry Value Name | DisableAccountNotifications |
+| ADMX File Name | AccountNotifications.admx |
 <!-- DisableAccountNotifications-GpMapping-End -->
 
 <!-- DisableAccountNotifications-Examples-Begin -->
@@ -318,12 +331,16 @@ No reboots or service restarts are required for this policy setting to take effe
 <!-- EnableExpandedToastNotifications-OmaUri-End -->
 
 <!-- EnableExpandedToastNotifications-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 This policy setting turns on multiple expanded toast notifications in action center.
 
 - If you enable this policy setting, the first three notifications of each application will be expanded by default in action center.
 
-- If you disable or don't configure this policy setting, only the first notification of each application will be expanded by default in action center. Windows 10 only. This will be immediately deprecated for Windows 11. No reboots or service restarts are required for this policy setting to take effect.
+- If you disable or don't configure this policy setting, only the first notification of each application will be expanded by default in action center.
+
+Windows 10 only. This will be immediately deprecated for Windows 11.
+
+No reboots or service restarts are required for this policy setting to take effect.
 <!-- EnableExpandedToastNotifications-Description-End -->
 
 <!-- EnableExpandedToastNotifications-Editable-Begin -->
@@ -355,7 +372,12 @@ This policy setting turns on multiple expanded toast notifications in action cen
 | Name | Value |
 |:--|:--|
 | Name | ExpandedToastNotifications |
-| Path | WPN > AT > StartMenu > NotificationsCategory |
+| Friendly Name | Turn on multiple expanded toast notifications in action center |
+| Location | User Configuration |
+| Path | Start Menu and Taskbar > Notifications |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications |
+| Registry Value Name | EnableExpandedToastNotifications |
+| ADMX File Name | WPN.admx |
 <!-- EnableExpandedToastNotifications-GpMapping-End -->
 
 <!-- EnableExpandedToastNotifications-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 5102bebb64..f96c5acb6a 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -93,7 +93,7 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con
 <!-- Description-Source-ADMX -->
 This policy setting determines whether Clipboard contents can be synchronized across devices.
 
-- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account.
+- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Microsoft Entra account.
 
 - If you disable this policy setting, Clipboard contents can't be shared to other devices.
 
@@ -2946,8 +2946,20 @@ If an app is open when this Group Policy object is applied on a device, employee
 <!-- LetAppsAccessHumanPresence-OmaUri-End -->
 
 <!-- LetAppsAccessHumanPresence-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy setting specifies whether Windows apps can access the human presence sensor.
+<!-- Description-Source-ADMX -->
+This policy setting specifies whether Windows apps can access presence sensing.
+
+You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
+
+If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
+
+If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
+
+If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
 <!-- LetAppsAccessHumanPresence-Description-End -->
 
 <!-- LetAppsAccessHumanPresence-Editable-Begin -->
@@ -2980,8 +2992,12 @@ This policy setting specifies whether Windows apps can access the human presence
 | Name | Value |
 |:--|:--|
 | Name | LetAppsAccessHumanPresence |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessHumanPresence_Enum |
+| Friendly Name | Let Windows apps access presence sensing |
+| Element Name | Default for all apps. |
+| Location | Computer Configuration |
+| Path | Windows Components > App Privacy |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
+| ADMX File Name | AppPrivacy.admx |
 <!-- LetAppsAccessHumanPresence-GpMapping-End -->
 
 <!-- LetAppsAccessHumanPresence-Examples-Begin -->
@@ -3006,8 +3022,20 @@ This policy setting specifies whether Windows apps can access the human presence
 <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-OmaUri-End -->
 
 <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Description-Begin -->
-<!-- Description-Source-DDF -->
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the human presence sensor. This setting overrides the default LetAppsAccessHumanPresence policy setting for the specified apps.
+<!-- Description-Source-ADMX -->
+This policy setting specifies whether Windows apps can access presence sensing.
+
+You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
+
+If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
+
+If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
+
+If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
 <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Description-End -->
 
 <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Editable-Begin -->
@@ -3030,8 +3058,11 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
 | Name | Value |
 |:--|:--|
 | Name | LetAppsAccessHumanPresence |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessHumanPresence_ForceAllowTheseApps_List |
+| Friendly Name | Let Windows apps access presence sensing |
+| Location | Computer Configuration |
+| Path | Windows Components > App Privacy |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
+| ADMX File Name | AppPrivacy.admx |
 <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-GpMapping-End -->
 
 <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Examples-Begin -->
@@ -3056,8 +3087,20 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
 <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-OmaUri-End -->
 
 <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Description-Begin -->
-<!-- Description-Source-DDF -->
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the human presence sensor. This setting overrides the default LetAppsAccessHumanPresence policy setting for the specified apps.
+<!-- Description-Source-ADMX -->
+This policy setting specifies whether Windows apps can access presence sensing.
+
+You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
+
+If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
+
+If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
+
+If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
 <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Description-End -->
 
 <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Editable-Begin -->
@@ -3080,8 +3123,11 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
 | Name | Value |
 |:--|:--|
 | Name | LetAppsAccessHumanPresence |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessHumanPresence_ForceDenyTheseApps_List |
+| Friendly Name | Let Windows apps access presence sensing |
+| Location | Computer Configuration |
+| Path | Windows Components > App Privacy |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
+| ADMX File Name | AppPrivacy.admx |
 <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-GpMapping-End -->
 
 <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Examples-Begin -->
@@ -3106,8 +3152,20 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
 <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-OmaUri-End -->
 
 <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Description-Begin -->
-<!-- Description-Source-DDF -->
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the human presence privacy setting for the listed apps. This setting overrides the default LetAppsAccessHumanPresence policy setting for the specified apps.
+<!-- Description-Source-ADMX -->
+This policy setting specifies whether Windows apps can access presence sensing.
+
+You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
+
+If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.
+
+If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.
+
+If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.
+
+If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
 <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Description-End -->
 
 <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Editable-Begin -->
@@ -3130,8 +3188,11 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
 | Name | Value |
 |:--|:--|
 | Name | LetAppsAccessHumanPresence |
-| Path | AppPrivacy > AT > WindowsComponents > AppPrivacy |
-| Element Name | LetAppsAccessHumanPresence_UserInControlOfTheseApps_List |
+| Friendly Name | Let Windows apps access presence sensing |
+| Location | Computer Configuration |
+| Path | Windows Components > App Privacy |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
+| ADMX File Name | AppPrivacy.admx |
 <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-GpMapping-End -->
 
 <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index ff6dc5d401..e112f3b6d8 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -95,13 +95,13 @@ To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/ove
 
 <!-- LoadAadCredKeyFromProfile-Description-Begin -->
 <!-- Description-Source-DDF -->
-Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts.
+Allow encrypted DPAPI cred keys to be loaded from user profiles for Microsoft Entra accounts.
 <!-- LoadAadCredKeyFromProfile-Description-End -->
 
 <!-- LoadAadCredKeyFromProfile-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
-This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs.
+This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Microsoft Entra joined VMs.
 <!-- LoadAadCredKeyFromProfile-Editable-End -->
 
 <!-- LoadAadCredKeyFromProfile-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 69710b569d..83c65f6386 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -20,7 +20,7 @@ ms.topic: reference
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!IMPORTANT]
-> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups.
+> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Microsoft Entra groups.
 >
 > Don't apply both policies to the same device, it's unsupported and may yield unpredictable results.
 <!-- RestrictedGroups-Editable-End -->
@@ -135,7 +135,7 @@ Descriptions of the properties:
 
 - `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
 
-- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Microsoft Entra ID, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
 
 - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
 
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index f29783c6d0..ef1082ff7d 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -354,7 +354,7 @@ Configures the use of passwords for Windows features.
 
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic device encryption during OOBE when the device is Microsoft Entra joined.
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-End -->
 
 <!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md
index 7a792dc92c..954bbaeaf2 100644
--- a/windows/client-management/mdm/policy-csp-settingssync.md
+++ b/windows/client-management/mdm/policy-csp-settingssync.md
@@ -4,7 +4,7 @@ description: Learn more about the SettingsSync Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -101,7 +101,14 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
 <!-- DisableLanguageSettingSync-OmaUri-End -->
 
 <!-- DisableLanguageSettingSync-Description-Begin -->
-<!-- Description-Source-Not-Found -->
+<!-- Description-Source-ADMX -->
+Prevent the "language preferences" group from syncing to and from this PC. This turns off and disables the "languages preferences" group on the "Windows backup" settings page in PC settings.
+
+If you enable this policy setting, the "language preferences", group won't be synced.
+
+Use the option "Allow users to turn language preferences syncing on" so that syncing is turned off by default but not disabled.
+
+If you don't set or disable this setting, syncing of the "language preferences" group is on by default and configurable by the user.
 <!-- DisableLanguageSettingSync-Description-End -->
 
 <!-- DisableLanguageSettingSync-Editable-Begin -->
@@ -118,7 +125,6 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
 <!-- DisableLanguageSettingSync-DFProperties-End -->
 
 <!-- DisableLanguageSettingSync-AdmxBacked-Begin -->
-<!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 
 **ADMX mapping**:
@@ -126,6 +132,11 @@ If you don't set or disable this setting, syncing of the "accessibility" group i
 | Name | Value |
 |:--|:--|
 | Name | DisableLanguageSettingSync |
+| Friendly Name | Do not sync language preferences settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Sync your settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
+| Registry Value Name | DisableLanguageSettingSync |
 | ADMX File Name | SettingSync.admx |
 <!-- DisableLanguageSettingSync-AdmxBacked-End -->
 
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 1bab3b26fb..838e2faf41 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 09/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -1430,7 +1430,7 @@ To validate this policy, do the following steps:
 <!-- HideRecommendedPersonalizedSites-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.1928] and later |
 <!-- HideRecommendedPersonalizedSites-Applicability-End -->
 
 <!-- HideRecommendedPersonalizedSites-OmaUri-Begin -->
@@ -1444,8 +1444,8 @@ To validate this policy, do the following steps:
 <!-- HideRecommendedPersonalizedSites-OmaUri-End -->
 
 <!-- HideRecommendedPersonalizedSites-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu.
+<!-- Description-Source-ADMX -->
+Remove Personalized Website Recommendations from the Recommended section in the Start Menu.
 <!-- HideRecommendedPersonalizedSites-Description-End -->
 
 <!-- HideRecommendedPersonalizedSites-Editable-Begin -->
@@ -1477,7 +1477,12 @@ This policy setting allows you to hide the personalized websites in the recommen
 | Name | Value |
 |:--|:--|
 | Name | HideRecommendedPersonalizedSites |
-| Path | StartMenu > AT > StartMenu |
+| Friendly Name | Remove Personalized Website Recommendations from the Recommended section in the Start Menu |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | HideRecommendedPersonalizedSites |
+| ADMX File Name | StartMenu.admx |
 <!-- HideRecommendedPersonalizedSites-GpMapping-End -->
 
 <!-- HideRecommendedPersonalizedSites-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 58708cd210..0d0a105c89 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -111,16 +111,18 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage
 
 <!-- AllowCommercialDataPipeline-Description-Begin -->
 <!-- Description-Source-ADMX -->
-AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
+
+AllowCommercialDataPipeline configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
 
-If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at <https://go.microsoft.com/fwlink/?LinkId=521839> unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing".
+If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at <https://go.microsoft.com/fwlink/?LinkId=521839> unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing'.
 
 See the documentation at <https://go.microsoft.com/fwlink/?linkid=2011107> for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.
 <!-- AllowCommercialDataPipeline-Description-End -->
@@ -130,8 +132,8 @@ See the documentation at <https://go.microsoft.com/fwlink/?linkid=2011107> for i
 > [!NOTE]
 > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports.
 
-> [!IMPORTANT]
-> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> [!NOTE]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
 <!-- AllowCommercialDataPipeline-Editable-End -->
 
 <!-- AllowCommercialDataPipeline-DFProperties-Begin -->
@@ -189,12 +191,14 @@ See the documentation at <https://go.microsoft.com/fwlink/?linkid=2011107> for i
 
 <!-- AllowDesktopAnalyticsProcessing-Description-Begin -->
 <!-- Description-Source-ADMX -->
+This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
+
 This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher
 4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
@@ -206,8 +210,8 @@ This setting has no effect on devices unless they're properly enrolled in Deskto
 
 <!-- AllowDesktopAnalyticsProcessing-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!IMPORTANT]
-> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> [!NOTE]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
 <!-- AllowDesktopAnalyticsProcessing-Editable-End -->
 
 <!-- AllowDesktopAnalyticsProcessing-DFProperties-Begin -->
@@ -570,7 +574,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
 <!-- AllowMicrosoftManagedDesktopProcessing-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
 hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
 This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
@@ -578,8 +582,8 @@ This setting has no effect on devices unless they're properly enrolled in Micros
 
 <!-- AllowMicrosoftManagedDesktopProcessing-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!IMPORTANT]
-> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> [!NOTE]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
 <!-- AllowMicrosoftManagedDesktopProcessing-Editable-End -->
 
 <!-- AllowMicrosoftManagedDesktopProcessing-DFProperties-Begin -->
@@ -751,12 +755,14 @@ If you disable or don't configure this policy setting, the device will send requ
 
 <!-- AllowUpdateComplianceProcessing-Description-Begin -->
 <!-- Description-Source-ADMX -->
+This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
+
 This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher
 4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
@@ -768,8 +774,8 @@ If you disable or don't configure this policy setting, devices won't appear in U
 
 <!-- AllowUpdateComplianceProcessing-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!IMPORTANT]
-> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> [!NOTE]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
 <!-- AllowUpdateComplianceProcessing-Editable-End -->
 
 <!-- AllowUpdateComplianceProcessing-DFProperties-Begin -->
@@ -876,12 +882,14 @@ Specifies whether to allow the user to factory reset the device by using control
 
 <!-- AllowWUfBCloudProcessing-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
+This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
+
+This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
 
 To enable this behavior:
 
 1. Enable this policy setting
-2. Join an Azure Active Directory account to the device.
+2. Join a Microsoft Entra account to the device.
 
 3. Set Allow Telemetry to value 1 - Required, or higher.
 
@@ -892,8 +900,8 @@ If you disable or don't configure this policy setting, devices enrolled to the W
 
 <!-- AllowWUfBCloudProcessing-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!IMPORTANT]
-> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> [!NOTE]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration).
 <!-- AllowWUfBCloudProcessing-Editable-End -->
 
 <!-- AllowWUfBCloudProcessing-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
index 694ac12553..62451125d8 100644
--- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -39,12 +39,12 @@ ms.topic: reference
 
 <!-- ConfigureTenantRestrictions-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
+This setting enables and configures the device-based tenant restrictions feature for Microsoft Entra ID.
 
-When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
+When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Microsoft Entra tenant.
 
 > [!NOTE]
-> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
+> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Microsoft Entra tenant Restrictions for more details.
 
 <https://go.microsoft.com/fwlink/?linkid=2148762>
 
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 3ec573368b..9c9630b5ac 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -25,11 +25,11 @@ ms.topic: reference
 Update CSP policies are listed below based on the group policy area:
 
 - [Windows Insider Preview](#windows-insider-preview)
-  - [AllowOptionalContent](#allowoptionalcontent)
   - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
   - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
 - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
   - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate)
+  - [AllowOptionalContent](#allowoptionalcontent)
   - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup)
   - [BranchReadinessLevel](#branchreadinesslevel)
   - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays)
@@ -107,65 +107,6 @@ Update CSP policies are listed below based on the group policy area:
 
 ## Windows Insider Preview
 
-<!-- AllowOptionalContent-Begin -->
-### AllowOptionalContent
-
-<!-- AllowOptionalContent-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-<!-- AllowOptionalContent-Applicability-End -->
-
-<!-- AllowOptionalContent-OmaUri-Begin -->
-```Device
-./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
-```
-<!-- AllowOptionalContent-OmaUri-End -->
-
-<!-- AllowOptionalContent-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
-<!-- AllowOptionalContent-Description-End -->
-
-<!-- AllowOptionalContent-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- AllowOptionalContent-Editable-End -->
-
-<!-- AllowOptionalContent-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
-<!-- AllowOptionalContent-DFProperties-End -->
-
-<!-- AllowOptionalContent-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Device doesn't receive optional updates. |
-| 1 | Device receives optional updates and user can install from WU Settings page. |
-| 2 | Device receives optional updates and install them as soon as they're available. |
-<!-- AllowOptionalContent-AllowedValues-End -->
-
-<!-- AllowOptionalContent-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | AllowOptionalContent |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
-<!-- AllowOptionalContent-GpMapping-End -->
-
-<!-- AllowOptionalContent-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- AllowOptionalContent-Examples-End -->
-
-<!-- AllowOptionalContent-End -->
-
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
 ### ConfigureDeadlineNoAutoRebootForFeatureUpdates
 
@@ -335,6 +276,66 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
 
 <!-- AllowNonMicrosoftSignedUpdate-End -->
 
+<!-- AllowOptionalContent-Begin -->
+### AllowOptionalContent
+
+<!-- AllowOptionalContent-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
+<!-- AllowOptionalContent-Applicability-End -->
+
+<!-- AllowOptionalContent-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
+```
+<!-- AllowOptionalContent-OmaUri-End -->
+
+<!-- AllowOptionalContent-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
+<!-- AllowOptionalContent-Description-End -->
+
+<!-- AllowOptionalContent-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowOptionalContent-Editable-End -->
+
+<!-- AllowOptionalContent-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AllowOptionalContent-DFProperties-End -->
+
+<!-- AllowOptionalContent-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Don't receive optional updates. |
+| 1 | Automatically receive optional updates (including CFRs). |
+| 2 | Automatically receive optional updates. |
+| 3 | Users can select which optional updates to receive. |
+<!-- AllowOptionalContent-AllowedValues-End -->
+
+<!-- AllowOptionalContent-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowOptionalContent |
+| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+<!-- AllowOptionalContent-GpMapping-End -->
+
+<!-- AllowOptionalContent-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowOptionalContent-Examples-End -->
+
+<!-- AllowOptionalContent-End -->
+
 <!-- AutomaticMaintenanceWakeUp-Begin -->
 ### AutomaticMaintenanceWakeUp
 
@@ -1280,7 +1281,7 @@ If the status is set to Disabled or Not Configured, Windows will check for avail
 > If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
 
 > [!NOTE]
-> This policy isn't supported on %WINDOWS_ARM_VERSION_6_2%. Setting this policy won't have any effect on %WINDOWS_ARM_VERSION_6_2% PCs.
+> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs.
 <!-- DetectionFrequency-Description-End -->
 
 <!-- DetectionFrequency-Editable-Begin -->
@@ -1458,7 +1459,7 @@ Allows Windows Update Agent to determine the download URL when it's missing from
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-OmaUri-Begin -->
@@ -1527,7 +1528,7 @@ Configure this policy to specify whether to receive **Windows Driver Updates** f
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-OmaUri-Begin -->
@@ -1596,7 +1597,7 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-OmaUri-Begin -->
@@ -1665,7 +1666,7 @@ Configure this policy to specify whether to receive **Other Updates** from Windo
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ [10.0.20348.371] and later <br> ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1288] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.2130] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Applicability-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index f44eaf71c7..e323789f73 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -93,7 +93,7 @@ For example, the following syntax grants user rights to Authenticated Users and
 <![CDATA[Authenticated Users&#xF000;Replicator]]>
 ```
 
-For example, the following syntax grants user rights to two specific Azure Active Directory (Azure AD) users from Contoso, user1 and user2:
+For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:
 
 ```xml
 <![CDATA[AzureAD\user1@contoso.com&#xF000;AzureAD\user2@contoso.com]]>
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index 06336a8d08..a5834287ac 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 08/30/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -40,8 +40,14 @@ ms.topic: reference
 <!-- AutomaticDataCollection-OmaUri-End -->
 
 <!-- AutomaticDataCollection-Description-Begin -->
-<!-- Description-Source-DDF -->
-Automatically collect website or app content when additional analysis is needed to help identify security threats.
+<!-- Description-Source-ADMX -->
+This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
+
+- If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
+
+- If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
+
+- If this policy isn't set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.
 <!-- AutomaticDataCollection-Description-End -->
 
 <!-- AutomaticDataCollection-Editable-Begin -->
@@ -73,7 +79,12 @@ Automatically collect website or app content when additional analysis is needed
 | Name | Value |
 |:--|:--|
 | Name | AutomaticDataCollection |
-| Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense |
+| Friendly Name | Automatic Data Collection |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components |
+| Registry Value Name | CaptureThreatWindow |
+| ADMX File Name | WebThreatDefense.admx |
 <!-- AutomaticDataCollection-GpMapping-End -->
 
 <!-- AutomaticDataCollection-Examples-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
new file mode 100644
index 0000000000..5d7b09569f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -0,0 +1,100 @@
+---
+title: WindowsAI Policy CSP
+description: Learn more about the WindowsAI Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 08/30/2023
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- WindowsAI-Begin -->
+# Policy CSP - WindowsAI
+
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
+<!-- WindowsAI-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- WindowsAI-Editable-End -->
+
+<!-- TurnOffWindowsCopilot-Begin -->
+## TurnOffWindowsCopilot
+
+<!-- TurnOffWindowsCopilot-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25929.1000] |
+<!-- TurnOffWindowsCopilot-Applicability-End -->
+
+<!-- TurnOffWindowsCopilot-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
+```
+<!-- TurnOffWindowsCopilot-OmaUri-End -->
+
+<!-- TurnOffWindowsCopilot-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to turn off Windows Copilot.
+
+- If you enable this policy setting, users won't be able to use Copilot. The Copilot icon won't appear on the taskbar either.
+
+- If you disable or don't configure this policy setting, users will be able to use Copilot when it's available to them.
+<!-- TurnOffWindowsCopilot-Description-End -->
+
+<!-- TurnOffWindowsCopilot-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TurnOffWindowsCopilot-Editable-End -->
+
+<!-- TurnOffWindowsCopilot-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- TurnOffWindowsCopilot-DFProperties-End -->
+
+<!-- TurnOffWindowsCopilot-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enable Copilot. |
+| 1 | Disable Copilot. |
+<!-- TurnOffWindowsCopilot-AllowedValues-End -->
+
+<!-- TurnOffWindowsCopilot-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TurnOffWindowsCopilot |
+| Friendly Name | Turn off Windows Copilot |
+| Location | User Configuration |
+| Path | Windows Components > Windows Copilot |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot |
+| Registry Value Name | TurnOffWindowsCopilot |
+| ADMX File Name | WindowsCopilot.admx |
+<!-- TurnOffWindowsCopilot-GpMapping-End -->
+
+<!-- TurnOffWindowsCopilot-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TurnOffWindowsCopilot-Examples-End -->
+
+<!-- TurnOffWindowsCopilot-End -->
+
+<!-- WindowsAI-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- WindowsAI-CspMoreInfo-End -->
+
+<!-- WindowsAI-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 6f0c889771..7e57b912b3 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,8 +18,6 @@ ms.topic: reference
 
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- WindowsLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsLogon-Editable-End -->
@@ -45,7 +43,7 @@ This policy setting controls whether a device will automatically sign in and loc
 
 This only occurs if the last interactive user didn't sign out before the restart or shutdown. 
 
-If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
+If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
 
 - If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. 
 
@@ -565,7 +563,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
 <!-- OverrideShellProgram-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2338] and later |
 <!-- OverrideShellProgram-Applicability-End -->
 
 <!-- OverrideShellProgram-OmaUri-Begin -->
@@ -576,7 +574,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
 
 <!-- OverrideShellProgram-Description-Begin -->
 <!-- Description-Source-DDF -->
-OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
+OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features, which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application that would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
 <!-- OverrideShellProgram-Description-End -->
 
 <!-- OverrideShellProgram-Editable-Begin -->
@@ -591,7 +589,6 @@ OverrideShellProgram policy allows IT admin to configure the shell program for W
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
-| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- OverrideShellProgram-DFProperties-End -->
 
 <!-- OverrideShellProgram-AllowedValues-Begin -->
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 1b4a1c636d..d0ae5d1f19 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -96,7 +96,7 @@ Node for the Autopilot Reset operation.
 
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-Begin -->
 <!-- Description-Source-DDF -->
-Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
+Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Microsoft Entra ID and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-End -->
 
 <!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Editable-Begin -->
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 4c1b79cfc1..4c9892dc4c 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -106,7 +106,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
 
 <!-- Device-DeviceAccount-Description-Begin -->
 <!-- Description-Source-DDF -->
-Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation.
+Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Microsoft Entra ID: 1. Set the UserPrincipalName (for Microsoft Entra ID). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Microsoft Entra ID. 4. Get the ErrorContext in case something goes wrong during validation.
 <!-- Device-DeviceAccount-Description-End -->
 
 <!-- Device-DeviceAccount-Editable-Begin -->
@@ -333,7 +333,7 @@ Possible error values:
 | **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
 | --- | --- | --- |
 | 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Azure AD accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Microsoft Entra accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
 | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
 | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
 | 5 | Saving account information | Unable to save account details to the system. |
@@ -499,7 +499,7 @@ Password for the device account. Get is allowed here, but will always return a b
 
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
+Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Microsoft Entra ID).
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Description-End -->
 
 <!-- Device-DeviceAccount-PasswordRotationEnabled-Editable-Begin -->
@@ -625,7 +625,7 @@ Username of the device account when you are using Active Directory. To use a dev
 
 <!-- Device-DeviceAccount-UserPrincipalName-Description-Begin -->
 <!-- Description-Source-DDF -->
-User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
+User principal name (UPN) of the device account. To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.
 <!-- Device-DeviceAccount-UserPrincipalName-Description-End -->
 
 <!-- Device-DeviceAccount-UserPrincipalName-Editable-Begin -->
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 7c469706c0..97551d7680 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -52,7 +52,7 @@ When RequireNetworkInOOBE is true, when the device goes through OOBE at first si
   -  True - Require network in OOBE.
   -  False - No network connection requirement in OOBE.
 
-Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Microsoft Entra credentials. There is no option to skip the network connection and create a local account.
 
 ## Related topics
 
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index a909cac63a..2ca71c81c0 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -29,6 +29,15 @@ items:
       href: ../structure-of-oma-dm-provisioning-files.md
     - name: Server requirements for OMA DM
       href: ../server-requirements-windows-mdm.md
+  - name: Declared Configuration protocol
+    href: ../declared-configuration.md
+    items:
+    - name: Declared Configuration extensibility
+      href: ../declared-configuration-extensibility.md
+    - name: DeclaredConfiguration CSP
+      href: declaredconfiguration-csp.md
+    - name: DMClient CSP
+      href: dmclient-csp.md
   - name: Configuration service providers (CSPs)
     expanded: true
     items:
@@ -440,6 +449,8 @@ items:
           href: policy-csp-feeds.md
         - name: FileExplorer
           href: policy-csp-fileexplorer.md
+        - name: FileSystem
+          href: policy-csp-filesystem.md
         - name: Games
           href: policy-csp-games.md
         - name: Handwriting
@@ -554,6 +565,8 @@ items:
           href: policy-csp-webthreatdefense.md
         - name: Wifi
           href: policy-csp-wifi.md
+        - name: WindowsAI
+          href: policy-csp-windowsai.md
         - name: WindowsAutopilot
           href: policy-csp-windowsautopilot.md
         - name: WindowsConnectionManager
@@ -648,6 +661,11 @@ items:
       items:
       - name: CustomDeviceUI DDF file
         href: customdeviceui-ddf.md
+    - name: DeclaredConfiguration
+      href: declaredconfiguration-csp.md
+      items:
+      - name: DeclaredConfiguration DDF file
+        href: declaredconfiguration-ddf-file.md
     - name: Defender
       href: defender-csp.md
       items:
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 42df09bf0e..3e5e3a5468 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -964,7 +964,7 @@ Determines the level of data encryption required for the connection.
 
 <!-- Device-{ProfileName}-DeviceCompliance-Description-Begin -->
 <!-- Description-Source-DDF -->
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
 <!-- Device-{ProfileName}-DeviceCompliance-Description-End -->
 
 <!-- Device-{ProfileName}-DeviceCompliance-Editable-Begin -->
@@ -1003,7 +1003,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
 
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
 
 <!-- Device-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->
@@ -5261,7 +5261,7 @@ Determines the level of data encryption required for the connection.
 
 <!-- User-{ProfileName}-DeviceCompliance-Description-Begin -->
 <!-- Description-Source-DDF -->
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
 <!-- User-{ProfileName}-DeviceCompliance-Description-End -->
 
 <!-- User-{ProfileName}-DeviceCompliance-Editable-Begin -->
@@ -5300,7 +5300,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
 
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
 
 <!-- User-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->
@@ -9037,7 +9037,7 @@ Profile example
         <NativeProtocol>
           <Type>Sstp</Type>
         </NativeProtocol>
-        <RetryTimeinHours>168</RetryTimeinHours>
+        <RetryTimeInHours>168</RetryTimeInHours>
       </ProtocolList>
     <Authentication>
       <UserMethod>Eap</UserMethod>
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 9a48d7372f..347afc4322 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -12,7 +12,7 @@ items:
                 href: mdm-overview.md
               - name: What's new in MDM
                 href: new-in-windows-mdm-enrollment-management.md
-              - name: Azure Active Directory integration
+              - name: Microsoft Entra integration
                 href: azure-active-directory-integration-with-mdm.md
               - name: Transitioning to modern management
                 href: manage-windows-10-in-your-organization-modern-management.md
@@ -48,6 +48,8 @@ items:
                 href: enterprise-app-management.md
               - name: Manage updates
                 href: device-update-management.md
+              - name: Manage Copilot in Windows
+                href: manage-windows-copilot.md
               - name: Secured-Core PC Configuration Lock
                 href: config-lock.md
               - name: Certificate renewal
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 5a140f98e2..97c1386a73 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -143,7 +143,7 @@
           href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
         - name: Cortana at work testing scenarios
           href: cortana-at-work/cortana-at-work-testing-scenarios.md
-        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+        - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
           href: cortana-at-work/cortana-at-work-scenario-1.md
         - name: Test scenario 2 - Run a Bing search with Cortana
           href: cortana-at-work/cortana-at-work-scenario-2.md
@@ -163,7 +163,7 @@
           href: cortana-at-work/cortana-at-work-o365.md
         - name: Testing scenarios using Cortana in your business or organization
           href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
-        - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+        - name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
           href: cortana-at-work/test-scenario-1.md
         - name: Test scenario 2 - Run a quick search with Cortana at work
           href: cortana-at-work/test-scenario-2.md
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index d41be6da7b..c8a911f8a2 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -6,18 +6,17 @@ manager: aaroncz
 ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
-ms.topic: article
+ms.topic: whats-new
 ms.localizationpriority: medium
-ms.date: 11/28/2017
+ms.date: 08/18/2023
 ms.technology: itpro-configure
 ---
 
 # Changes to Group Policy settings for Windows 10 Start
 
+**Applies to**:
 
-**Applies to**
-
--   Windows 10
+- Windows 10
 
 Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
 
@@ -33,7 +32,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
 |Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.|
 |Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.|
 |Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**|
-|Prevent users from customizing their Start Screen|Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it|
+|Prevent users from customizing their Start Screen|Use this policy with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it|
 |Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)|
 |Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.|
 |Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.|
@@ -44,12 +43,10 @@ These policy settings are available in **Administrative Templates\\Start Menu an
 |Show "Run as different user" command on Start|This policy enables the **Run as different user** option in the right-click menu for apps.|
 |Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.|
 |Force Start to be either full screen size or menu size|This policy applies a specific size for Start.|
- 
 
-## <a href="" id="deprecated-group-policy-settings-for-start-"></a>Deprecated Group Policy settings for Start
+## Deprecated Group Policy settings for Start
 
-
-The Start policy settings listed below don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
+The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
 
 | Policy                                                                           | When deprecated |
 |----------------------------------------------------------------------------------|-----------------|
@@ -92,7 +89,3 @@ The Start policy settings listed below don't work on Windows 10. Most of them w
 - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
 - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 - [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
-
-
-
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index cbdc9361aa..e80c753918 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -4,9 +4,9 @@ description: Administrators can pin more apps to the taskbar and remove default
 ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
-ms.topic: article
+ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 01/18/2018
+ms.date: 08/18/2023
 ms.reviewer: 
 manager: aaroncz
 ms.collection:
@@ -26,7 +26,7 @@ You can specify different taskbar configurations based on device locale and regi
 
 If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
 
-The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.
+The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user.
 
 > [!NOTE]
 > In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
@@ -321,11 +321,18 @@ The resulting taskbar for computers in any other country region:
 
 ## Related topics
 
-- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-- [Customize and export Start layout](customize-and-export-start-layout.md)
-- [Add image for secondary tiles](start-secondary-tiles.md)
-- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Add image for secondary tiles](start-secondary-tiles.md)
+
+[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index 5dc0aa37ec..8cc906cd9f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -29,7 +29,7 @@ Your employees can use Cortana to help manage their day and be more productive b
 ### Before you begin
 There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier.
 
-- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana&#39;s notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
+- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana&#39;s notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
 
 - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 2f8c615755..9bd3833b21 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -38,15 +38,17 @@ Cortana requires a PC running Windows 10, version 1703 or later, and the followi
 | Software | Minimum version |
 |---------|---------|
 |Client operating system     | - Windows 10, version 2004 (recommended)  <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD)    | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required.        |
+|Microsoft Entra ID    | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required.        |
 |Additional policies (Group Policy and Mobile Device Management (MDM))     |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help.  |
 
 >[!NOTE]
 >For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
 
-## Signing in using Azure AD
+<a name='signing-in-using-azure-ad'></a>
 
-Your organization must have an Azure AD tenant and your employees&#39; devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/)
+## Signing in using Microsoft Entra ID
+
+Your organization must have a Microsoft Entra tenant and your employees&#39; devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/)
 
 ## How is my data processed by Cortana?
 
@@ -54,7 +56,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
 
 ### Cortana in Windows 10, version 2004 and later, or Windows 11
 
-Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
+Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
 
 #### How does Microsoft store, retain, process, and use Customer Data in Cortana?
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 8cfe781f37..e0881606c0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -72,7 +72,7 @@ For specific info about how to set, manage, and use each of these MDM policies t
 - **AllowMicrosoftAccountConnection**
   - **Group policy**: None
   - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
-  - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
+  - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting.
 
 - **Allow search and Cortana to use location**
   - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 421e8959d9..28baf34fab 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
 ---
-title: Sign into Azure AD, enable the wake word, and try a voice query
+title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query
 description: A test scenario walking you through signing in and managing the notebook.
 ms.prod: windows-client
 ms.collection: tier3
@@ -13,14 +13,14 @@ ms.date: 12/31/2017
 ms.topic: article
 ---
 
-# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
+# Test scenario 1 – Sign into Microsoft Entra ID, enable the wake word, and try a voice query
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 
 >[!NOTE]
 >The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
 
-1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
+1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
 
 2. Select the &quot;…&quot; menu and select **Talking to Cortana**.
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 6a8fa6528d..9260043d11 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -19,7 +19,7 @@ ms.technology: itpro-configure
 
 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
 
-- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
+- [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
 - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
 - [Set a reminder](cortana-at-work-scenario-3.md)
 - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index 01d6c2db85..b9fd7b9023 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -49,4 +49,4 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
 Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.
 
 ## How the Bing Answer policy configuration is applied
-Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
+Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
index 6f3ffd8173..cd72adceb2 100644
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@@ -16,11 +16,11 @@ ms.technology: itpro-configure
 <!--Using include for Cortana in Windows deprecation -->
 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
 
-This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook.
+This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook.
 
 ## Sign in with your work or school account
 
-This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account.
 
 1. Click on the  **Cortana**  icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
 
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
index 081ea5877a..206010600b 100644
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -28,7 +28,7 @@ This scenario helps you search for both general upcoming meetings, and specific
 
 This process helps you find your upcoming meetings.
 
-1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
 
 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
 
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
index 17a27dc786..f8dfb7cf8e 100644
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -25,7 +25,7 @@ This scenario helps you to send an email to a co-worker listed in your work addr
 
 This process helps you to send a quick message to a co-worker from the work address book.
 
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
 
 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
 
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index edd95b2265..c7298fc1d3 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -6,9 +6,9 @@ manager: aaroncz
 ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
-ms.topic: article
+ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 09/18/2018
+ms.date: 08/18/2023
 ms.collection:
  - highpri
  - tier1
@@ -17,7 +17,7 @@ ms.technology: itpro-configure
 
 # Customize and export Start layout
 
-**Applies to**
+**Applies to**:
 
 - Windows 10
 
@@ -27,71 +27,69 @@ The easiest method for creating a customized Start layout to apply to other Wind
 
 After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout.
 
-When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
+When a full Start layout is applied, the users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't pin any apps to Start.
 
-When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups.
 
->[!NOTE]
->Partial Start layout is only supported on Windows 10, version 1511 and later.
-
- 
+> [!NOTE]
+> Partial Start layout is only supported on Windows 10, version 1511 and later.
 
 You can deploy the resulting .xml file to devices using one of the following methods:
 
--   [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
 
--   [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
--   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
-## Customize the Start screen on your test computer
+### Customize the Start screen on your test computer
 
 To prepare a Start layout for export, you simply customize the Start layout on a test computer.
 
 **To prepare a test computer**
 
-1.  Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display.
+1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display.
 
-2.  Create a new user account that you will use to customize the Start layout.
+1. Create a new user account that you'll use to customize the Start layout.
 
 **To customize Start**
 
-1.  Sign in to your test computer with the user account that you created.
+1. Sign in to your test computer with the user account that you created.
 
-2.  Customize the Start layout as you want users to see it by using the following techniques:
+1. Customize the Start layout as you want users to see it by using the following techniques:
 
-    -   **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**.
+    - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then select **Pin to Start**.
 
-        To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
+        To view all apps, select **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
 
-    -   **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then click **Unpin from Start**.
+    - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start**.
 
-    -   **Drag tiles** on Start to reorder or group apps.
+    - **Drag tiles** on Start to reorder or group apps.
 
-    -   **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
+    - **Resize tiles**. To resize tiles, right-click the tile and then select **Resize.**
 
-    -   **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
-    
->[!IMPORTANT]
->In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
+    - **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group.
+
+> [!IMPORTANT]
+> In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
 >
->In earlier versions of Windows 10, no tile would be pinned.
+> In earlier versions of Windows 10, no tile would be pinned.
 
-## Export the Start layout
+### Export the Start layout
 
 When you have the Start layout that you want your users to see, use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
 
->[!IMPORTANT]
->If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
+> [!IMPORTANT]
+> If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
 
 **To export the Start layout to an .xml file**
 
-1.  While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
+1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
 
-2.  On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
+1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command:
 
     `Export-StartLayout -path <path><file name>.xml`
-    
+
     On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example:
 
     ```PowerShell
@@ -100,8 +98,8 @@ When you have the Start layout that you want your users to see, use the [Export-
 
     In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
 
-    Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet does not append the file name extension, and the policy settings require the extension.
-    
+    Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.
+
     Example of a layout file produced by `Export-StartLayout`:
 
     ```xml
@@ -120,16 +118,15 @@ When you have the Start layout that you want your users to see, use the [Export-
         </LayoutModificationTemplate>
     ```
 
-3. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order)
+1. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order)
 
->[!IMPORTANT]
->If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. 
+> [!IMPORTANT]
+> If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. 
 
-
->[!NOTE]
->All clients that the start layout applies to must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout.
+> [!NOTE]
+> All clients that the start layout applies to must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout.
 >
->For scripts and application tile pins to work correctly, follow these rules:
+> For scripts and application tile pins to work correctly, follow these rules:
 >
 >* Executable files and scripts should be listed in \Program Files or wherever the installer of the app places them.
 >
@@ -141,11 +138,9 @@ When you have the Start layout that you want your users to see, use the [Export-
 >
 >* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\.
 
+### Configure a partial Start layout
 
-## Configure a partial Start layout
-
-
-A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
+A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users can't change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
 
 ![locked tile group.](images/start-pinned-app.png)
 
@@ -157,30 +152,34 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
 
 **To configure a partial Start screen layout**
 
-1.  [Customize the Start layout](#customize-the-start-screen-on-your-test-computer).
+1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer).
 
-2.  [Export the Start layout](#export-the-start-layout).
-3.  Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
+1. [Export the Start layout](#export-the-start-layout).
+1. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
 
     ```xml
     <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
     ```
 
-4.  Save the file and apply using any of the deployment methods.
+1. Save the file and apply using any of the deployment methods.
 
-> [!NOTE] 
+> [!NOTE]
 > Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed.
 
+## Related articles
 
+[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
 
-## Related topics
+[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
 
+[Add image for secondary tiles](start-secondary-tiles.md)
 
-- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-- [Add image for secondary tiles](start-secondary-tiles.md)
-- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+
+[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 0ab80c34f4..04fb8e95d9 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -60,7 +60,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "v-stchambers",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 0fdc2d15c1..7dc2ae5f02 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -65,7 +65,7 @@ There are several kiosk configuration methods that you can choose from, dependin
 
     ![icon that represents a user account.](images/user.png)
 
-    The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+    The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
 
 
 >[!IMPORTANT]
@@ -79,9 +79,9 @@ You can use this method | For this edition | For this kiosk account type
 --- | --- | ---
 [Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
 [Assigned access cmdlets](kiosk-single-app.md#powershell)  | Pro, Ent, Edu | Local standard user
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD 
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard)  | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID 
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
+[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
 
 <span id="classic" />
 
@@ -89,9 +89,9 @@ You can use this method | For this edition | For this kiosk account type
 
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD 
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID 
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
+[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
 
 <span id="desktop" />
 
@@ -99,9 +99,9 @@ You can use this method | For this edition | For this kiosk account type
 
 You can use this method | For this edition | For this kiosk account type 
 --- | --- | ---
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
-[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD
-[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD  
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
+[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID
+[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID  
 
 ## Summary of kiosk configuration methods
 
@@ -109,11 +109,11 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
 --- | --- | --- | :---: | :---:
 [Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️  |
 [Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️  |
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️  | ✔️
-Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️
-[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | 
-[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD |  | ✔️
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️  |
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md)  | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️  | ✔️
+Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✔️ | ✔️
+[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | 
+[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID |  | ✔️
 
 
 >[!NOTE]
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 7891caf75d..9e599f8790 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -29,7 +29,7 @@ When the assigned access kiosk configuration is applied on the device, certain p
 
 ## Group Policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  These users include local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  These users include local users, domain users, and Microsoft Entra users.
 
 | Setting |	Value |
 | --- | --- |
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 0443a3047c..05323a4d02 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -216,7 +216,7 @@ Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-exper
 You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
 
 > [!NOTE]
-> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
 
 > [!TIP]
 > If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. 
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index fc9e86e27c..4bd3071b0d 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -52,7 +52,7 @@ For sample XML configurations for the different app combinations, see [Samples f
 >
 >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. 
 
--   A domain, Azure Active Directory, or local user account.
+-   A domain, Microsoft Entra ID, or local user account.
 
 -   A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
 
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index db0f2a955f..e74ea773a1 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -85,7 +85,7 @@ You have several options for configuring your single-app kiosk.
 
 You can use **Settings** to quickly configure one or a few devices as a kiosk. 
 
-When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
 
 - If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
 
@@ -235,17 +235,17 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 
 3. Enable account management:
 
-    :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+    :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
 
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
-      - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+      - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
-        You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+        You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
       - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
 
@@ -323,7 +323,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 >
 >Account type:
 > - Local standard user
-> - Azure AD
+> - Microsoft Entra ID
 
 Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 0df2e63128..89f93fc919 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -311,7 +311,7 @@ The following example hides the taskbar:
 ```
 
 >[!IMPORTANT]
->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
+>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 
 #### Configs
 
@@ -322,8 +322,8 @@ The full multi-app assigned access experience can only work for non-admin users.
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
-- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
+- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
+- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 >[!NOTE]
 >Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
@@ -365,7 +365,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 >[!WARNING]
 >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -373,7 +373,7 @@ Individual accounts are specified using `<Account>`.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 >[!NOTE]
->For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+>For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 <Configs>
@@ -388,7 +388,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   <Config>
@@ -406,7 +406,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
+- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -416,7 +416,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   ```
 
   >[!NOTE]
-  >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  >If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
 
@@ -588,7 +588,7 @@ When the multi-app assigned access configuration is applied on the device, certa
 
 ### Group policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users.
 
 | Setting | Value |
 | --- | --- |
diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md
index 03ae4c3aed..e8f41d7572 100644
--- a/windows/configuration/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md
@@ -207,7 +207,7 @@ The following example hides the taskbar:
 ```
 
 > [!IMPORTANT]
-> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
+> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 
 #### Configs
 
@@ -218,8 +218,8 @@ The full multi-app assigned access experience can only work for non-admin users.
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
-- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
+- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
+- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 > [!NOTE]
 > Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
@@ -261,7 +261,7 @@ Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
+- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 > [!WARNING]
 > Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -269,7 +269,7 @@ Individual accounts are specified using `<Account>`.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 > [!NOTE]
-> For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 <Configs>
@@ -284,7 +284,7 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   <Config>
@@ -302,7 +302,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
+- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -312,7 +312,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   ```
 
   > [!NOTE]
-  > If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
 
diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
index b3207522a4..5a71baac61 100644
--- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
@@ -22,9 +22,11 @@ When applying a provisioning package (PPKG) containing power settings, elevated
 
 To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings).
 
-## Unable to perform bulk enrollment in Azure AD
+<a name='unable-to-perform-bulk-enrollment-in-azure-ad'></a>
 
-When [enrolling devices into Azure AD using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+## Unable to perform bulk enrollment in Microsoft Entra ID
+
+When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
 
 > [!NOTE]
 > When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 4ea1962aa4..46ddabb9da 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -44,12 +44,12 @@ The desktop wizard helps you configure the following settings in a provisioning
 - Configure the device for shared use
 - Remove pre-installed software
 - Configure Wi-Fi network 
-- Enroll device in Active Directory or Azure Active Directory 
+- Enroll device in Active Directory or Microsoft Entra ID 
 - Create local administrator account 
 - Add applications and certificates
 
 >[!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
 Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. 
 
@@ -100,17 +100,17 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 3. Enable account management:
 
-    :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+    :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
 
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
-      - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+      - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
-        You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+        You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
       - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
 
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index e92747be63..22b8f9ad65 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -47,7 +47,7 @@ Windows Configuration Designer can create provisioning packages for Windows clie
 - Windows Server 2008 R2
 
 >[!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
 ## Install Windows Configuration Designer
 
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index a778b86f70..96dce6d256 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -73,8 +73,8 @@ The following table describes settings that you can configure using the wizards
 | --- | --- | --- | --- | --- |
 | Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove pre-installed software | ✔️ | ✔️ | ✔️ |
 | Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ |
-| Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ |
-| Bulk Enrollment in Azure AD | Enroll device in Azure Active Directory using Bulk Token</br></br> [Set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Azure AD enrollment. | ✔️ | ✔️ | ✔️ |
+| Account management | Enroll device in Active Directory, enroll device in Microsoft Entra ID, or create a local administrator account | ✔️ | ✔️ | ✔️ |
+| Bulk Enrollment in Microsoft Entra ID | Enroll device in Microsoft Entra ID using Bulk Token</br></br> [Set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment. | ✔️ | ✔️ | ✔️ |
 | Add applications | Install applications using the provisioning package.  | ✔️ | ✔️ | ❌ |
 | Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ |
 | Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ |
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 41f4968fe9..c8ef487740 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -105,7 +105,7 @@ For more information, see [Using PowerShell scripting with the WMI Bridge Provid
 
 ## Guidance for accounts on shared PCs
 
-- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Microsoft Entra ID and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
 
 - Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**.
 
@@ -150,4 +150,4 @@ To troubleshoot Shared PC, you can use the following tools:
 
 [UWP-1]: /uwp/api/windows.system.profile.sharedmodesettings
 [UWP-2]: /uwp/api/windows.system.profile.educationsettings
-[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
\ No newline at end of file
+[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage
diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md
index cabee079ab..0138bae2ca 100644
--- a/windows/configuration/shared-devices-concepts.md
+++ b/windows/configuration/shared-devices-concepts.md
@@ -1,14 +1,12 @@
 ---
 title: Manage multi-user and guest Windows devices
 description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
-ms.date: 10/15/2022
+ms.date: 08/18/2023
 ms.prod: windows-client
 ms.technology: itpro-configure
-ms.topic: conceptual
-ms.localizationpriority: medium
+ms.topic: concept-article
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: 
 manager: aaroncz
 ms.collection: tier2
 appliesto: 
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index f6909fdc31..9c048c2cf5 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -3,7 +3,9 @@ title: Administering UE-V with Windows PowerShell and WMI
 description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 02bb612d1b..627039a508 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -3,7 +3,9 @@ title: Administering UE-V
 description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index d0d7b3db53..21e3edd00d 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -3,7 +3,9 @@ title: Application Template Schema Reference for UE-V
 description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 28f57b767c..0104526a2b 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -3,7 +3,9 @@ title: Changing the Frequency of UE-V Scheduled Tasks
 description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index f18438c0c3..44e725599f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -3,7 +3,9 @@ title: Configuring UE-V with Group Policy Objects
 description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index efd9497722..30bf50f542 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -3,7 +3,9 @@ title: Configuring UE-V with Microsoft Configuration Manager
 description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index 04a273fdd4..1ab8b30874 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -3,7 +3,9 @@ title: Deploy required UE-V features
 description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 76987da15a..65523c41b0 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -3,7 +3,9 @@ title: Use UE-V with custom applications
 description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index 7b140aa669..c8732241c7 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -3,7 +3,9 @@ title: User Experience Virtualization for Windows 10, version 1607
 description: Overview of User Experience Virtualization for Windows 10, version 1607
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 05/02/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index 32db93baee..7bf8cae820 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -3,7 +3,9 @@ title: Get Started with UE-V
 description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 03/08/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 34a9229f65..ec137a5b65 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -3,7 +3,9 @@ title: Manage Administrative Backup and Restore in UE-V
 description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 51a1e724fe..419e2f3379 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -3,7 +3,9 @@ title: Manage Configurations for UE-V
 description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
index 78252752e3..fd0c9e9aac 100644
--- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
@@ -3,7 +3,9 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WM
 description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
index 079e034324..9be69be554 100644
--- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -3,7 +3,9 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI
 description: Managing the UE-V service and packages with Windows PowerShell and WMI
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 27fcbea39e..37a5be45ad 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -3,7 +3,9 @@ title: Migrating UE-V settings packages
 description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index f498b6600b..3ed4ab1b43 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -3,7 +3,9 @@ title: Prepare a UE-V Deployment
 description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index 42571c453b..995f79f988 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -3,7 +3,9 @@ title: User Experience Virtualization (UE-V) Release Notes
 description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index 2bde66cad7..0f2220b76e 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -3,7 +3,9 @@ title: Security Considerations for UE-V
 description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index bff2257777..17d2bba46f 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -3,7 +3,9 @@ title: Sync Methods for UE-V
 description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index a080d46d6e..6cae6d66bf 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -3,7 +3,9 @@ title: Sync Trigger Events for UE-V
 description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index a28147ecb1..e06e33e471 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -3,7 +3,9 @@ title: Synchronizing Microsoft Office with UE-V
 description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index c4f15d65ce..aa4bde4500 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -3,7 +3,9 @@ title: Technical Reference for UE-V
 description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index 0f96a38a1b..e27f2c92a6 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -3,7 +3,9 @@ title: Troubleshooting UE-V
 description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index 495602a3d7..12ac8cd14c 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -3,7 +3,9 @@ title: Upgrade to UE-V for Windows 10
 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
index 4d2e9541ec..85bc1b7d3c 100644
--- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
+++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
@@ -3,7 +3,9 @@ title: Using UE-V with Application Virtualization applications
 description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V).
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index 147230cb37..fa2083f4ad 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -3,7 +3,9 @@ title: What's New in UE-V for Windows 10, version 1607
 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
index 1c94036b4c..8fca3e87fa 100644
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@@ -3,7 +3,9 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator
 description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
 author: aczechowski
 ms.prod: windows-client
-ms.collection: tier3
+ms.collection:
+ - tier3
+ - must-keep
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index 3d883a1d2b..0b571541ae 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 2f26418dde..20e2c8f6fc 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
@@ -14,7 +15,7 @@ ms.technology: itpro-configure
 
 # Accounts (Windows Configuration Designer reference)
 
-Use these settings to join a device to an Active Directory domain or an Azure Active Directory tenant, or to add local user accounts to the device.
+Use these settings to join a device to an Active Directory domain or a Microsoft Entra tenant, or to add local user accounts to the device.
 
 ## Applies to
 
@@ -27,7 +28,7 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac
 
 ## Azure
 
-The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
+The **Azure > Authority** and **Azure > BPRT** settings for bulk Microsoft Entra enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Microsoft Entra enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
 
 - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
 - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index b1c2aad0d0..9af5c203a8 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 17322a4076..0e3964d49e 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index abcc63d261..3168b7df93 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 10/02/2018
 ms.reviewer: 
 manager: aaroncz
@@ -84,7 +85,7 @@ Use *Default* to specify a name that matches one of the search providers you ent
 Some countries/regions require specific, default search providers. The following table lists the applicable countries/regions and information for configuring the necessary search provider.
 
 >[!NOTE]
->For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey.
+>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Türkiye.
 
 
 
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 4d48caa562..f9f8b16187 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 10/02/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index d39280a5fe..4ea08e6e5b 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 8a15c48f5b..b05ce84a8f 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md
index 6788558d33..32db3b13f7 100644
--- a/windows/configuration/wcd/wcd-changes.md
+++ b/windows/configuration/wcd/wcd-changes.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index 3bb2b66098..d5cf3986fb 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 0434a57ba2..dc3d949232 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 88daab22bd..e66ad72ff5 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index 9c1e5b2b70..8e9f623688 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index b7d4eee9d8..3c88652ff7 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/21/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index f93fe468a8..1820eebc0a 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index d47c6a0d97..eb07550f1f 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index fd933e1cb7..1f4744f0a1 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md
index 4d5c9d8f2f..8c9cbe5372 100644
--- a/windows/configuration/wcd/wcd-deviceupdatecenter.md
+++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md
@@ -6,7 +6,8 @@ author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index 218f3f2102..f5169b0cee 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 696a33078b..99b9f9fc47 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index 3bfedb1fc5..1310f33c30 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index d17727272b..1c2b161ffa 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 08/08/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index d59d40f6a3..05670e0935 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index e838a329d8..0fb6073692 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 12/18/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index 600809d119..addcf27aad 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 10/02/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index f03737f546..a2135a483b 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index 94fe50a11b..bbc00f2648 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index a371f05731..bf3aeccaf3 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index f12104c539..3e2ac6dce1 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 71560b301f..eb78b8e3fe 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index f8af613b82..61c6c77b95 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index b89c45755d..c6ab55142e 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 902475d894..449ba3ba75 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index 65d872fe1b..13962db09d 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -6,7 +6,8 @@ author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index d523106679..e79eb9f7f3 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index 80275970c1..9bff17847b 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 10/16/2017
 ms.reviewer: 
 manager: aaroncz
@@ -28,7 +29,7 @@ Use these settings to configure settings for accounts allowed on the shared PC.
 
 | Setting | Value | Description |
 | --- | --- | --- |
-| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Azure AD account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Azure AD, or local standard account.  |
+| AccountModel  | - Only guest</br>- Domain-joined only</br>- Domain-joined and guest  | This option controls how users can sign in on the PC. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign in screen and enable anonymous guest access to the PC. </br></br>- Only guest allows anyone to use the PC as a local standard (non-admin) account.</br>- Domain-joined only allows users to sign in with an Active Directory or Microsoft Entra account.</br>- Domain-joined and guest allows users to sign in with an Active Directory, Microsoft Entra ID, or local standard account.  |
 | DeletionPolicy  | - Delete immediately </br>- Delete at disk space threshold</br>- Delete at disk space threshold and inactive threshold | - **Delete immediately** deletes the account on sign out.</br>- **Delete at disk space threshold** starts deleting accounts when available disk space falls below the threshold you set for `DiskLevelDeletion`. It stops deleting accounts when the available disk space reaches the threshold you set for `DiskLevelCaching`. Accounts are deleted in order of oldest accessed to most recently accessed.</br>- **Delete at disk space threshold and inactive threshold** applies the same disk space checks as noted above. It also deletes accounts if they haven't signed in within the number of days in `InactiveThreshold`.  |
 | DiskLevelCaching  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.  |
 | DiskLevelDeletion  | A number between 0 and 100  | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.  |
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 5ce6d3c4b1..1e5fe77243 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 03/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 53ff39614a..b8d84f5b0c 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index 44ae8f59c7..55c8fcc8f3 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index b04f726240..6838b63730 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index d9a2c856ff..397c14a4f5 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 manager: aaroncz
 ms.technology: itpro-configure
 ms.date: 12/31/2017
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index 92dd641460..cd0bdc4208 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 13b9e9a810..9934c78fd0 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index 1001238225..d5071fb0e0 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: aaroncz
@@ -42,7 +43,7 @@ When set to True, students can print in the Take A Test app.
 
 Enter the account to use when taking a test.
 
-To specify a domain account, enter **domain\user**. To specify an Azure AD account, enter `username@tenant.com`. To specify a local account, enter the username.
+To specify a domain account, enter **domain\user**. To specify a Microsoft Entra account, enter `username@tenant.com`. To specify a local account, enter the username.
 
 ## Related articles
 
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index 320b7fa6a5..1bb981193e 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -6,7 +6,8 @@ author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index 6bc7634cfb..2c03844e3f 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 98f1fd3fd3..2e3a68fe9f 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 4f40efa1fb..5889dc2d7e 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 8dbef10171..9869da77b4 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index a7eafa43c9..211d170ce0 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index 1a414d570f..f69695122b 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index e37dc898a4..f2ae2c2447 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
@@ -44,10 +45,10 @@ A device account is a Microsoft Exchange account that's connected with Skype for
 | Email  | Email address  | Email address of the device account.  |
 | ExchangeServer  | Exchange Server  | Normally, the device will try to automatically discover the Exchange server. This field is only required if automatic discovery fails.  |
 | Password  | Password  | Password for the device account.  |
-| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Azure AD.  |
+| PasswordRotationEnabled  | 0 = enabled</br>1 = disabled  | Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, then use this setting to allow the device to manage its own password. It can change the password frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory or Microsoft Entra ID.  |
 | SipAddress  | Session Initiation Protocol (SIP) address   | Normally, the device will try to automatically discover the SIP. This field is only required if automatic discovery fails.  |
 | UserName  | User name  | Username of the device account when using Active Directory.  |
-| UserPrincipalName  | User principal name (UPN)  | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.  |
+| UserPrincipalName  | User principal name (UPN)  | To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.  |
 | ValidateAndCommit  | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. |
 
 ## Dot3
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index a44a635cf6..6a2da109c1 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -7,7 +7,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.technology: itpro-configure
 ms.date: 12/31/2017
 ---
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index b36b0cd090..8e21def9dd 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 8c1f2f6053..3fe32ffa9b 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -5,7 +5,8 @@ ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+ms.topic: reference
+ms.collection: must-keep
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-configure
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index 34434f0a9d..cda104c484 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
 ms.technology: itpro-configure
 ms.author: lizlong
 author: lizgt2000
-ms.date: 06/27/2023
+ms.date: 08/11/2023
 ms.reviewer: 
 manager: aaroncz
 ms.localizationpriority: medium
@@ -16,6 +16,9 @@ appliesto:
   - ✅ <b>Windows 11</b>
 ---
 
+<!-- MAXADO-8138357 -->
+<!-- MAXADO-8138352 -->
+
 # Accessibility information for IT professionals
 
 Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
@@ -34,7 +37,7 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
 
 ## Vision
 
-- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
+- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages.
 
 - [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
 
@@ -109,8 +112,13 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
 
 - [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
 
+- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script.
+
 - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
 
+<!-- MAXADO-8138354 -->
+- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition.
+
 - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
 
 - [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index b8da7a6027..5d7ac4a474 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -124,16 +124,6 @@
                   href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
                 - name: In-place upgrade
                   href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
-            - name: Subscription Activation
-              items:
-                - name: Windows subscription activation
-                  href: windows-10-subscription-activation.md
-                - name: Windows Enterprise E3 in CSP
-                  href: windows-10-enterprise-e3-overview.md
-                - name: Configure VDA for subscription activation
-                  href: vda-subscription-activation.md
-                - name: Deploy Windows Enterprise licenses
-                  href: deploy-enterprise-licenses.md
         - name: Deploy Windows client updates
           items:
             - name: Assign devices to servicing channels
@@ -184,6 +174,109 @@
               href: update/deployment-service-drivers.md
           - name: Troubleshoot Windows Update for Business deployment service
             href: update/deployment-service-troubleshoot.md
+    - name: Activate
+      items:
+      - name: Windows subscription activation
+        href: windows-10-subscription-activation.md
+      - name: Windows Enterprise E3 in CSP
+        href: windows-10-enterprise-e3-overview.md
+      - name: Configure VDA for subscription activation
+        href: vda-subscription-activation.md
+      - name: Deploy Windows Enterprise licenses
+        href: deploy-enterprise-licenses.md
+      - name: Volume Activation 
+        items:
+        - name: Overview
+          href: volume-activation/volume-activation-windows-10.md
+        - name: Plan for volume activation 
+          href: volume-activation/plan-for-volume-activation-client.md
+        - name: Activate using Key Management Service 
+          href: volume-activation/activate-using-key-management-service-vamt.md
+        - name: Activate using Active Directory-based activation 
+          href: volume-activation/activate-using-active-directory-based-activation-client.md
+        - name: Activate clients running Windows 10
+          href: volume-activation/activate-windows-10-clients-vamt.md
+        - name: Monitor activation 
+          href: volume-activation/monitor-activation-client.md
+        - name: Use the Volume Activation Management Tool 
+          href: volume-activation/use-the-volume-activation-management-tool-client.md
+        href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+      - name: Volume Activation Management Tool (VAMT)
+        items:
+        - name: VAMT technical reference
+          href: volume-activation/volume-activation-management-tool.md
+        - name: Introduction to VAMT
+          href: volume-activation/introduction-vamt.md
+        - name: Active Directory-Based Activation Overview
+          href: volume-activation/active-directory-based-activation-overview.md
+        - name: Install and Configure VAMT
+          items:
+          - name: Overview
+            href: volume-activation/install-configure-vamt.md
+          - name: VAMT Requirements
+            href: volume-activation/vamt-requirements.md
+          - name: Install VAMT
+            href: volume-activation/install-vamt.md
+          - name: Configure Client Computers
+            href: volume-activation/configure-client-computers-vamt.md
+        - name: Add and Manage Products
+          items:
+          - name: Overview
+            href: volume-activation/add-manage-products-vamt.md
+          - name: Add and Remove Computers
+            href: volume-activation/add-remove-computers-vamt.md
+          - name: Update Product Status
+            href: volume-activation/update-product-status-vamt.md
+          - name: Remove Products
+            href: volume-activation/remove-products-vamt.md
+        - name: Manage Product Keys
+          items:
+          - name: Overview
+            href: volume-activation/manage-product-keys-vamt.md
+          - name: Add and Remove a Product Key
+            href: volume-activation/add-remove-product-key-vamt.md
+          - name: Install a Product Key
+            href: volume-activation/install-product-key-vamt.md
+          - name: Install a KMS Client Key
+            href: volume-activation/install-kms-client-key-vamt.md
+        - name: Manage Activations
+          items:
+          - name: Overview
+            href: volume-activation/manage-activations-vamt.md
+          - name: Run Online Activation
+            href: volume-activation/online-activation-vamt.md
+          - name: Run Proxy Activation
+            href: volume-activation/proxy-activation-vamt.md
+          - name: Run KMS Activation
+            href: volume-activation/kms-activation-vamt.md
+          - name: Run Local Reactivation
+            href: volume-activation/local-reactivation-vamt.md
+          - name: Activate an Active Directory Forest Online
+            href: volume-activation/activate-forest-vamt.md
+          - name: Activate by Proxy an Active Directory Forest
+            href: volume-activation/activate-forest-by-proxy-vamt.md
+        - name: Manage VAMT Data
+          items:
+          - name: Overview
+            href: volume-activation/manage-vamt-data.md
+          - name: Import and Export VAMT Data
+            href: volume-activation/import-export-vamt-data.md
+          - name: Use VAMT in Windows PowerShell
+            href: volume-activation/use-vamt-in-windows-powershell.md
+          - name: VAMT Step-by-Step Scenarios
+            items:
+            - name: Overview
+              href: volume-activation/vamt-step-by-step.md
+            - name: "Scenario 1: Online Activation"
+              href: volume-activation/scenario-online-activation-vamt.md
+            - name: "Scenario 2: Proxy Activation"
+              href: volume-activation/scenario-proxy-activation-vamt.md
+            - name: "Scenario 3: KMS Client Activation"
+              href: volume-activation/scenario-kms-activation-vamt.md
+          - name: VAMT Known Issues
+            href: volume-activation/vamt-known-issues.md
+      - name: Information sent to Microsoft during activation
+        href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
     - name: Monitor
       items:
       - name: Windows Update for Business reports
@@ -280,9 +373,9 @@
         - name: How does Windows Update work?
           href: update/how-windows-update-works.md
         - name: Windows client upgrade paths
-          href: upgrade/windows-10-upgrade-paths.md
+          href: upgrade/windows-upgrade-paths.md
         - name: Windows client edition upgrade
-          href: upgrade/windows-10-edition-upgrades.md
+          href: upgrade/windows-edition-upgrades.md
         - name: Deploy Windows 10 with Microsoft 365
           href: deploy-m365.md
         - name: Understand the Unified Update Platform
@@ -327,82 +420,6 @@
                       href: planning/security-and-data-protection-considerations-for-windows-to-go.md
                     - name: "Windows To Go: frequently asked questions"
                       href: planning/windows-to-go-frequently-asked-questions.yml
-        
-                - name: Volume Activation Management Tool (VAMT) technical reference
-                  items:
-                    - name: VAMT technical reference
-                      href: volume-activation/volume-activation-management-tool.md
-                    - name: Introduction to VAMT
-                      href: volume-activation/introduction-vamt.md
-                    - name: Active Directory-Based Activation Overview
-                      href: volume-activation/active-directory-based-activation-overview.md
-                    - name: Install and Configure VAMT
-                      items:
-                      - name: Overview
-                        href: volume-activation/install-configure-vamt.md
-                      - name: VAMT Requirements
-                        href: volume-activation/vamt-requirements.md
-                      - name: Install VAMT
-                        href: volume-activation/install-vamt.md
-                      - name: Configure Client Computers
-                        href: volume-activation/configure-client-computers-vamt.md
-                    - name: Add and Manage Products
-                      items:
-                      - name: Overview
-                        href: volume-activation/add-manage-products-vamt.md
-                      - name: Add and Remove Computers
-                        href: volume-activation/add-remove-computers-vamt.md
-                      - name: Update Product Status
-                        href: volume-activation/update-product-status-vamt.md
-                      - name: Remove Products
-                        href: volume-activation/remove-products-vamt.md
-                    - name: Manage Product Keys
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-product-keys-vamt.md
-                      - name: Add and Remove a Product Key
-                        href: volume-activation/add-remove-product-key-vamt.md
-                      - name: Install a Product Key
-                        href: volume-activation/install-product-key-vamt.md
-                      - name: Install a KMS Client Key
-                        href: volume-activation/install-kms-client-key-vamt.md
-                    - name: Manage Activations
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-activations-vamt.md
-                      - name: Run Online Activation
-                        href: volume-activation/online-activation-vamt.md
-                      - name: Run Proxy Activation
-                        href: volume-activation/proxy-activation-vamt.md
-                      - name: Run KMS Activation
-                        href: volume-activation/kms-activation-vamt.md
-                      - name: Run Local Reactivation
-                        href: volume-activation/local-reactivation-vamt.md
-                      - name: Activate an Active Directory Forest Online
-                        href: volume-activation/activate-forest-vamt.md
-                      - name: Activate by Proxy an Active Directory Forest
-                        href: volume-activation/activate-forest-by-proxy-vamt.md
-                    - name: Manage VAMT Data
-                      items:
-                      - name: Overview
-                        href: volume-activation/manage-vamt-data.md
-                      - name: Import and Export VAMT Data
-                        href: volume-activation/import-export-vamt-data.md
-                      - name: Use VAMT in Windows PowerShell
-                        href: volume-activation/use-vamt-in-windows-powershell.md
-                    - name: VAMT Step-by-Step Scenarios
-                      items:
-                      - name: Overview
-                        href: volume-activation/vamt-step-by-step.md
-                      - name: "Scenario 1: Online Activation"
-                        href: volume-activation/scenario-online-activation-vamt.md
-                      - name: "Scenario 2: Proxy Activation"
-                        href: volume-activation/scenario-proxy-activation-vamt.md
-                      - name: "Scenario 3: KMS Client Activation"
-                        href: volume-activation/scenario-kms-activation-vamt.md
-                    - name: VAMT Known Issues
-                      href: volume-activation/vamt-known-issues.md
-        
                 - name: User State Migration Tool (USMT) technical reference
                   items:
                     - name: USMT overview articles
@@ -570,25 +587,6 @@
                     href: planning/testing-your-application-mitigation-packages.md
                   - name: Use the Sdbinst.exe Command-Line Tool
                     href: planning/using-the-sdbinstexe-command-line-tool.md
-                - name: Volume Activation 
-                  items:
-                  - name: Overview
-                    href: volume-activation/volume-activation-windows-10.md
-                  - name: Plan for volume activation 
-                    href: volume-activation/plan-for-volume-activation-client.md
-                  - name: Activate using Key Management Service 
-                    href: volume-activation/activate-using-key-management-service-vamt.md
-                  - name: Activate using Active Directory-based activation 
-                    href: volume-activation/activate-using-active-directory-based-activation-client.md
-                  - name: Activate clients running Windows 10
-                    href: volume-activation/activate-windows-10-clients-vamt.md
-                  - name: Monitor activation 
-                    href: volume-activation/monitor-activation-client.md
-                  - name: Use the Volume Activation Management Tool 
-                    href: volume-activation/use-the-volume-activation-management-tool-client.md
-                - name: "Appendix: Information sent to Microsoft during activation "
-                  href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
-
         - name: Install fonts in Windows client
           href: windows-10-missing-fonts.md
         - name: Customize Windows PE boot images
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index 65a30e06f7..211570e4b0 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -1,60 +1,3 @@
-items:
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /troubleshoot/windows-client/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /troubleshoot/windows-client/deployment/
-      topicHref: /windows/deployment/
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /windows/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /windows/whats-new
-      topicHref: /windows/deployment/
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /mem/intune/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /mem/intune/protect/
-      topicHref: /windows/deployment/
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /windows/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /windows/client-management/mdm
-      topicHref: /windows/deployment/     
-
-- name: Learn
-  tocHref: /
-  topicHref: /
-  items:
-  - name: Windows
-    tocHref: /windows/
-    topicHref: /windows/resources/
-    items:
-    - name: Deployment
-      tocHref: /windows/deployment/do
-      topicHref: /windows/deployment/
\ No newline at end of file
+- name: Windows
+  tocHref: /windows/
+  topicHref: /windows/index
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
index deed6bd549..1e160b35dd 100644
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@@ -7,7 +7,7 @@ author: frankroj
 manager: aaroncz
 ms.author: frankroj
 ms.topic: article
-ms.date: 07/26/2023
+ms.date: 09/05/2023
 ms.technology: itpro-deploy
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -108,7 +108,7 @@ Before modifying the desired boot image, make a backup copy of the boot image th
 
 Adjust the above paths for 32-bit boot images (only available with Windows 10 ADKs).
 
-The following commands backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**:
+The following command backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**:
 ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
 
 From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed-up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image:
@@ -634,7 +634,7 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo
 
 copy "<Mount_folder_path>\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"
 
-copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
+copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi"
 
 copy "<Mount_folder_path>\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
 ```
@@ -646,7 +646,7 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo
 
 copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"
 
-copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
+copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi"
 
 copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"
 ```
@@ -840,7 +840,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag
         **Example**:
 
         ```powershell
-        Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force
+        Remove-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force
         ```
 
         For more information, see [Remove-Item](/powershell/module/microsoft.powershell.management/remove-item).
@@ -1019,7 +1019,7 @@ This process updates the boot image used by Configuration Manager. It also updat
 
 ### Updating Configuration Manager boot media
 
-After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also updat bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media).
+After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also update bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media).
 
 ## Microsoft Deployment Toolkit (MDT) considerations
 
@@ -1154,7 +1154,7 @@ then follow these steps to update the boot image in WDS:
 
     ---
 
-2. Once the existing boot image in WDS has been replaced, restart the WDS service:
+1. Once the existing boot image in WDS has been replaced, restart the WDS service:
 
     #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
 
@@ -1233,7 +1233,7 @@ then follow these steps to add the boot image in WDS:
 
     ---
 
-2. Once the existing boot image in WDS has been replaced, restart the WDS service:
+1. Once the existing boot image in WDS has been replaced, restart the WDS service:
 
     #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
 
@@ -1271,4 +1271,15 @@ The **boot.wim** that is part of Windows installation media isn't supported for
 
 ## Windows Server 2012 R2
 
-This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2).
+This walk-through isn't intended for use with Windows Server 2012 R2. The steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). To resolve compatibility problems with newer ADKs and Windows Server 2012 R2:
+
+1. Upgrade Windows Server 2012 R2 to a newer version of Windows Server.
+1. Perform the boot image customizations on a computer running a version of Windows that supports the newer ADKs, for example Windows 10 or Windows 11, and then transfer the modified boot image to the Windows Server 2012 R2 server.
+
+For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2).
+
+## Related articles
+
+- [Create bootable Windows PE media: Update the Windows PE add-on for the Windows ADK](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#update-the-windows-pe-add-on-for-the-windows-adk)
+- [Update Windows installation media with Dynamic Update: Update WinPE](/windows/deployment/update/media-dynamic-update#update-winpe)
+- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932: Updating bootable media](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d?preview=true#updatebootable5025885)
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 92d3cab701..8ad4658ea1 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -19,7 +19,7 @@ ms.date: 11/23/2022
 
 # Deploy Windows Enterprise licenses
 
-This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Microsoft Entra ID.
 
 These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
 
@@ -66,24 +66,26 @@ If you need to update contact information and resend the activation email, use t
 ## Preparing for deployment: reviewing requirements
 
 - Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
-- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
+- Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 
 For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article.
 
-### Active Directory synchronization with Azure AD
+<a name='active-directory-synchronization-with-azure-ad'></a>
 
-If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5.
+### Active Directory synchronization with Microsoft Entra ID
 
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Microsoft Entra ID. Microsoft Entra Connect is responsible for synchronization of identities between the on-premises AD DS domain and Microsoft Entra ID. Microsoft Entra Connect is a service that you can install on-premises or in a virtual machine in Azure.
 
 :::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD.":::
 
-Figure 1: On-premises AD DS integrated with Azure AD
+Figure 1: On-premises AD DS integrated with Microsoft Entra ID
 
-For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+For more information about integrating on-premises AD DS domains with Microsoft Entra ID, see the following resources:
 
-- [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity)
-- [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
+- [What is hybrid identity with Microsoft Entra ID?](/azure/active-directory/hybrid/whatis-hybrid-identity)
+- [Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
 
 ## Assigning licenses to users
 
@@ -93,7 +95,7 @@ After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), y
 
 The following methods are available to assign licenses:
 
-- When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+- When you have the required Microsoft Entra subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
 
 - You can sign in to the Microsoft 365 admin center and manually assign licenses:
 
@@ -113,11 +115,15 @@ Now that you've established a subscription and assigned licenses to users, you c
 > [!NOTE]
 > The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.
 
-### Step 1: Join Windows Pro devices to Azure AD
+<a name='step-1-join-windows-pro-devices-to-azure-ad'></a>
 
-You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that's already set up.
+### Step 1: Join Windows Pro devices to Microsoft Entra ID
 
-#### Join a device to Azure AD the first time the device is started
+You can join a Windows Pro device to Microsoft Entra ID during setup, the first time the device starts. You can also join a device that's already set up.
+
+<a name='join-a-device-to-azure-ad-the-first-time-the-device-is-started'></a>
+
+#### Join a device to Microsoft Entra ID the first time the device is started
 
 1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**.
 
@@ -125,21 +131,23 @@ You can join a Windows Pro device to Azure AD during setup, the first time the d
 
     Figure 2: The "Who owns this PC?" page in initial Windows 10 setup.
 
-1. On the **Choose how you'll connect** page, select **Join Azure AD**, and then select **Next**.
+1. On the **Choose how you'll connect** page, select **Join Microsoft Entra ID**, and then select **Next**.
 
     :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup.":::
 
     Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup.
 
-1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
+1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
 
     :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup.":::
 
     Figure 4: The "Let's get you signed in" page in initial Windows 10 setup.
 
-Now the device is Azure AD-joined to the organization's subscription.
+Now the device is Microsoft Entra joined to the organization's subscription.
 
-#### Join a device to Azure AD when the device is already set up with Windows 10 Pro
+<a name='join-a-device-to-azure-ad-when-the-device-is-already-set-up-with-windows-10-pro'></a>
+
+#### Join a device to Microsoft Entra ID when the device is already set up with Windows 10 Pro
 
 > [!IMPORTANT]
 > Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
@@ -150,31 +158,33 @@ Now the device is Azure AD-joined to the organization's subscription.
 
     Figure 5: "Connect to work or school" configuration in Settings.
 
-1. In **Set up a work or school account**, select **Join this device to Azure Active Directory**.
+1. In **Set up a work or school account**, select **Join this device to Microsoft Entra ID**.
 
     :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard.":::
 
     Figure 6: Set up a work or school account.
 
-1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
+1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
 
     :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window.":::
 
     Figure 7: The "Let's get you signed in" window.
 
-Now the device is Azure AD-joined to the organization's subscription.
+Now the device is Microsoft Entra joined to the organization's subscription.
 
 ### Step 2: Pro edition activation
 
 If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.
 
-### Step 3: Sign in using Azure AD account
+<a name='step-3-sign-in-using-azure-ad-account'></a>
 
-Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+### Step 3: Sign in using Microsoft Entra account
 
-:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as an Azure AD user.":::
+Once the device is joined to Microsoft Entra ID, users will sign in with their Microsoft Entra account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
 
-Figure 8: Sign in to Windows 10 with an Azure AD account.
+:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as a Microsoft Entra user.":::
+
+Figure 8: Sign in to Windows 10 with a Microsoft Entra account.
 
 ### Step 4: Verify that Enterprise edition is enabled
 
@@ -246,7 +256,7 @@ It displays both of the previously mentioned error messages.
 
 Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature.
 
-Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
+Devices must also be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 
 Use the following procedures to review whether a particular device meets these requirements.
 
@@ -260,11 +270,13 @@ To determine if the computer has a firmware-embedded activation key, enter the f
 
 If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
 
-#### Determine if a device is Azure AD-joined
+<a name='determine-if-a-device-is-azure-ad-joined'></a>
+
+#### Determine if a device is Microsoft Entra joined
 
 1. Open a command prompt and enter `dsregcmd /status`.
 
-1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Azure AD.
+1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Microsoft Entra ID.
 
 #### Determine the version of Windows
 
@@ -296,4 +308,4 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
 
 Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
 
-Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
+Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index cef1350b94..dd75e9b3fc 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -11,7 +11,7 @@ ms.technology: itpro-deploy
 ms.collection:
   - highpri
   - tier3
-ms.date: 11/28/2022
+ms.date: 10/13/2023
 ---
 
 # Prepare for deployment with MDT
@@ -135,7 +135,8 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
 
 ```powershell
 Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
-"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
+cd "C:\Program Files\Update Services\Tools"
+.\wsusutil.exe postinstall CONTENT_DIR=C:\WSUS
 ```
 
 > [!NOTE]
@@ -264,19 +265,19 @@ See the following example:
 
 ![Logs folder.](../images/mdt-05-fig08.png)
 
-## Use CMTrace to read log files (optional)
+## Use Support Center OneTrace or CMTrace to read log files (optional)
 
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/mem/configmgr/core/support/cmtrace)).
+The log files in MDT Lite Touch are formatted to be read by [Support Center OneTrace](/mem/configmgr/core/support/support-center-onetrace) or [CMTrace](/mem/configmgr/core/support/cmtrace).
 
-You can use Notepad (example below):
+Notepad can be used to read the log files (example below):
 
 ![figure 8.](../images/mdt-05-fig09.png)
 
-Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
+However, Support Center OneTrace or CMTrace makes the logs much easier to read. See the same log file below, opened in CMTrace:
 
 ![figure 9.](../images/mdt-05-fig10.png)
 
-After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
+Both Support Center OneTrace and CMTrace are available as part of Microsoft Configuration Manager.
 
 ## Next steps
 
diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml
index f0aca1051c..136f9e7998 100644
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@@ -13,6 +13,8 @@
     items:
     - name: Set up Delivery Optimization for Windows
       href: waas-delivery-optimization-setup.md
+    - name: Monitor Delivery Optimization for Windows
+      href: waas-delivery-optimization-monitor.md
     - name: Configure Delivery Optimization settings using Microsoft Intune
       href: /mem/intune/configuration/delivery-optimization-windows
   - name: Resources for Delivery Optimization
@@ -36,13 +38,11 @@
       - name: Requirements
         href: mcc-enterprise-prerequisites.md
       - name: Deploy Microsoft Connected Cache
-        href: mcc-enterprise-portal-deploy.md
+        href: mcc-enterprise-deploy.md
       - name: Update or uninstall MCC
         href: mcc-enterprise-update-uninstall.md
       - name: Appendix
         href: mcc-enterprise-appendix.md
-      - name: MCC for Enterprise and Education (early preview)
-        href: mcc-enterprise-deploy.md      
     - name: MCC for ISPs
       items:
       - name: MCC for ISPs Overview
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index aa74140003..9189e7e85d 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -1,25 +1,24 @@
 ---
 title: Microsoft Connected Cache content and services endpoints
-description: List of fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache.
-ms.date: 03/31/2023
+description: List of fully qualified domain names, ports, and associated content used by Microsoft Connected Cache.
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: reference
-ms.localizationpriority: medium
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
+- ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a>		
+ms.date: 03/31/2023
 ---
 
 # Microsoft Connected Cache content and services endpoints
 
-_Applies to:_
-
-- Windows 11
-- Windows 10
-
 > [!NOTE]
 > All ports are outbound.
 
diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md
index 922909b41d..70feba838a 100644
--- a/windows/deployment/do/delivery-optimization-proxy.md
+++ b/windows/deployment/do/delivery-optimization-proxy.md
@@ -1,25 +1,24 @@
 ---
 title: Using a proxy with Delivery Optimization
-manager: aaroncz
-description: Settings to use with various proxy configurations to allow Delivery Optimization to work
+description: Settings to use with various proxy configurations to allow Delivery Optimization to work in your environment.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 06/02/2023
 ---
 
 # Using a proxy with Delivery Optimization
 
-**Applies to:**
-
-- Windows 11
-- Windows 10
-
 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
 
 Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.  
diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md
index 978410d908..bb0123cd75 100644
--- a/windows/deployment/do/delivery-optimization-test.md
+++ b/windows/deployment/do/delivery-optimization-test.md
@@ -1,16 +1,20 @@
 ---
 title: Testing Delivery Optimization
-description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios.
-ms.date: 11/08/2022
+description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different scenarios.
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: reference
-ms.localizationpriority: medium
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 11/08/2022
 ---
 
 # Testing Delivery Optimization
diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md
index c201a86893..b5082f4ec4 100644
--- a/windows/deployment/do/delivery-optimization-workflow.md
+++ b/windows/deployment/do/delivery-optimization-workflow.md
@@ -1,25 +1,25 @@
 ---
-title: Delivery Optimization client-service communication explained
-manager: aaroncz
+title: Delivery Optimization client-service communication
 description: Details of how Delivery Optimization communicates with the server when content is requested to download.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
+ms.date: 12/31/2017
 ---
 
 # Delivery Optimization client-service communication explained
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+Delivery Optimization is a cloud-managed solution that uses peer-to-peer (P2P) and local caching to deliver software updates and apps to Windows clients across your network. This article describes details of how Delivery Optimization communicates with the server when content is requested to download.
 ## Download request workflow
 
 This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from.
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index 3d120dad99..c886372c0f 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -41,10 +41,10 @@ landingContent:
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Delivery Optimization settings
+          - text: Delivery Optimization recommended settings
             url: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
-          - text: Windows PowerShell for Delivery Optimization
-            url: waas-delivery-optimization-setup.md#windows-powershell-cmdlets
+          - text: Monitor Delivery Optimization for Windows
+            url: waas-delivery-optimization-monitor.md
           - text: Troubleshoot Delivery Optimization
             url: waas-delivery-optimization-setup.md#troubleshooting
           - text: Delivery Optimization Frequently Asked Questions
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
index 566e605a7c..353a3d4dee 100644
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -1,24 +1,23 @@
 ---
 title: MCC for Enterprise and Education Overview
-manager: aaroncz
-description: Overview of Microsoft Connected Cache (MCC) for Enterprise and Education.
+description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: carmenf
 author: cmknox
-ms.topic: article
-ms.date: 05/09/2023
-ms.technology: itpro-updates
-ms.collection: tier3
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>	
+ms.date: 05/09/2023
 ---
 
 # Microsoft Connected Cache for Enterprise and Education Overview
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > [!IMPORTANT]
 > - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 > - We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index 20462921af..1192eaf675 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -1,15 +1,21 @@
 ---
-title: Appendix
-manager: aaroncz
-description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Appendix for MCC for Enterprise and Education
+description: This article contains reference information for Microsoft Connected Cache (MCC) for Enterprise and Education.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+  - tier3
+  - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
+ms.date: 02/06/2023
 ---
 
 # Appendix
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index cdcf5c1b5d..10f5b9cddf 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -1,23 +1,24 @@
 ---
-title: MCC for Enterprise and Education (early preview)
-manager: aaroncz
-description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node
+title: Deploying your cache node
+description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node from the Auzre portal.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
+manager: aaroncz
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>	
+ms.date: 03/10/2023
 ---
 
-# Deploying your enterprise cache node
+# Deploy your cache node
 
-**Applies to**
-
-- Windows 10
-- Windows 11
+This article describes how to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node.
 
 ## Steps to deploy MCC
 
@@ -130,7 +131,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
 - Downloads, installs, and deploys EFLOW
 - Enables Microsoft Update so EFLOW can stay up to date
 - Creates a virtual machine
-- Enables the firewall and opens ports 80 for inbound and outbound traffic. Port 80 is used by MCC.
+- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
 - Configures Connected Cache tuning settings.
 - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
 - Deploys the MCC container to server.
diff --git a/windows/deployment/do/mcc-enterprise-portal-deploy.md b/windows/deployment/do/mcc-enterprise-portal-deploy.md
deleted file mode 100644
index eea23e3bad..0000000000
--- a/windows/deployment/do/mcc-enterprise-portal-deploy.md
+++ /dev/null
@@ -1,145 +0,0 @@
----
-title: Deploying your cache node
-manager: aaroncz
-description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
-ms.prod: windows-client
-ms.author: carmenf
-author: cmknox
-ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
----
-
-# Deploying your cache node
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-## Create the Microsoft Connected Cache resource
-
-1. Navigate to Azure portal by using the [following link](https://aka.ms/mcc-enterprise-preview): 
-    > [!IMPORTANT]
-    > You must access Azure portal using this link (https://aka.ms/mcc-enterprise-preview) in order to find the correct Microsoft Connected Cache resource.
-
-    ![Screenshot of Azure portal "Create a resource" page, where you search for the Microsoft Connected Cache resource](images/ent-mcc-portal-create.png)
-
-1. In the search bar by **Get Started**, search for `Microsoft Connected Cache for Enterprise`.
-    ![Screenshot of Azure portal after searching for the Microsoft Connected Cache resource](images/ent-mcc-portal-resource.png)
-1. Select **Create** to create your Microsoft Connected Cache resource. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node.
-1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a “Deployment complete” page as below. Select **Go to resource**.
-![Screenshot of Azure portal after the deployment is complete](images/ent-mcc-deployment-complete.png)
-
-## Create, provision, and deploy the cache node in Azure portal
-
-To create, provision, and deploy the cache node in Azure portal, follow these steps:
-1.	Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise (preview) resource.
-1.	Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**.
-1.	Provide a name for your cache node and select **Create** to create your cache node. 
-1.	You may need to refresh to see the cache node. Select the cache node to configure it. 
-1.	Fill out the Basics and Storage fields. Enter the cache drive size in GB - this has a minimum size of 50 GB.
-
-    ![Screenshot of Azure portal on the Provisioning page, where the user can configure their cache node.](images/ent-mcc-provisioning.png)
-Once complete, select **Save** at the top of the page and select **Provision server**.
-1.	To deploy your cache node, download the installer by selecting **Download provisioning package**.
-1.	Run the provided provisioning script - note that this is unique to each cache node. 
-
-## Verify proper functioning MCC server
-
-#### Verify client side
-
-Connect to the EFLOW VM and check if MCC is properly running:
-
-1. Open PowerShell as an Administrator.
-2. Enter the following commands:
-
-   ```powershell
-   Connect-EflowVm
-   sudo -s
-   iotedge list
-   ```
-
-   :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
-
-#### Verify server side
-
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
-
-```powershell
-wget [http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
-```
-
-A successful test result will display a status code of 200 along with additional information.
-
-:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png":::
-
- :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png":::
-
-Similarly, enter the following URL from a browser in the network:
-
-`http://<YourCacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com`
-
-If the test fails, see the [common issues](#common-issues) section for more information.
-
-### Monitoring your metrics
-
-To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal.
-
-:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab.":::
-
-You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar.
-
-If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured.
-
-
-### Intune (or other management software) configuration for MCC
-
-For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN:
-
-:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names.":::
-
-## Common Issues
-
-#### PowerShell issues
-
-If you're seeing errors similar to this error: `The term Get-<Something> isn't recognized as the name of a cmdlet, function, script file, or operable program.`
-
-1. Ensure you're running Windows PowerShell version 5.x.
-
-1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*.
-
-1. Ensure you have Hyper-V enabled:
-
-    **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
-
-    **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
-
-#### Verify Running MCC Container
-
-Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:
-
-```bash
-Connect-EflowVm
-sudo iotedge list
-```
-
-:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
-
-If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
-
-```bash
-sudo journalctl -u iotedge -f
-```
-
-This command will provide the current status of the starting, stopping of a container, or the container pull and start.  
-
-:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
-
-
-> [!NOTE]
-> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
index dec45fd83c..2fa49f91cc 100644
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -1,24 +1,23 @@
 ---
-title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education
-manager: aaroncz
-description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Requirements for MCC for Enterprise and Education
+description: Overview of prerequisites and recommendations for using Microsoft Connected Cache (MCC) for Enterprise and Education.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
+ms.date: 05/01/2023
 ---
 
 # Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > [!NOTE]
 > We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
 
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index d79c144a59..207c2cf5fb 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -1,16 +1,23 @@
 ---
-title: Update or uninstall Microsoft Connected Cache for Enterprise and Education
-manager: aaroncz
-description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Update or uninstall MCC for Enterprise and Education
+description: Details on how to update or uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+  - tier3
+  - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a> 
+ms.date: 10/12/2022
 ---
+
 # Update or uninstall Microsoft Connected Cache for Enterprise and Education
 
 Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index b7bea13484..3a8b22508f 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -1,15 +1,21 @@
 ---
-title: Cache node configuration
+title: Cache node configuration settings
 manager: aaroncz
-description: Configuring a cache node on Azure portal
+description: List of options that are available while configuring a cache node for your environment from the Azure portal.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+  - tier3
+  - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
+ms.date: 08/16/2023
 ---
 
 # Cache node configuration
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
index d118693501..90165d9a23 100644
--- a/windows/deployment/do/mcc-isp-create-provision-deploy.md
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -1,24 +1,23 @@
 ---
-title: Create, provision, and deploy the cache node in Azure portal
-manager: aaroncz
+title: Create, provision, and deploy the cache node
 description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
 ms.prod: windows-client
+ms.technology: itpro-updates
+manager: aaroncz
 author: nidos
 ms.author: nidos
-ms.topic: article
-ms.date: 05/09/2023
-ms.technology: itpro-updates
-ms.collection: tier3
 ms.reviewer: mstewart
+ms.topic: conceptual
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a> 	
+ms.date: 05/09/2023
 ---
 
 # Create, configure, provision, and deploy the cache node in Azure portal
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node requires downloading an installer script that will be run on your cache server.
 
 > [!IMPORTANT]
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index f04f2e3dc9..4d845ee97e 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -2,6 +2,9 @@
 metadata:
   title: Microsoft Connected Cache Frequently Asked Questions
   description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
+  ms.prod: windows-client
+  ms.technology: itpro-updates
+  ms.topic: faq
   ms.author: carmenf
   author: cmknox
   ms.reviewer: mstewart
@@ -9,14 +12,13 @@ metadata:
   ms.collection:
     - highpri
     - tier3
-  ms.topic: faq
-  ms.date: 09/30/2022
-  ms.prod: windows-client
-  ms.technology: itpro-updates
+  appliesto: 
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+  ms.date: 04/27/2023
 title: Microsoft Connected Cache Frequently Asked Questions
 summary: |
-  **Applies to**
-  -   Windows 10 and later
+  Frequently asked questions about Microsoft Connected Cache
   
 sections:
   - name: Ignored
diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md
index 9c0aa7fd80..f299c32448 100644
--- a/windows/deployment/do/mcc-isp-overview.md
+++ b/windows/deployment/do/mcc-isp-overview.md
@@ -1,23 +1,22 @@
 ---
 title: MCC for ISPs Overview
-manager: aaroncz
-description: Overview for Microsoft Connected Cache for ISPs
+description: Overview of Microsoft Connected Cache for ISPs. Learn about how MCC works, supported scenarios, and supported content.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
+manager: aaroncz
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 07/27/2023
-ms.technology: itpro-updates
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 07/27/2023
 ---
 
-# Microsoft Connected Cache for ISPs Overview
-
-**Applies to**
-
-- Windows 10
-- Windows 11
+# Microsoft Connected Cache for ISPs overview
 
 Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
 
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index 087a11d27f..c125b1e4e9 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -1,24 +1,23 @@
 ---
 title: Operator sign up and service onboarding
-manager: aaroncz
-description: Service onboarding for Microsoft Connected Cache for ISP
+description: Instructions on how to go through the service onboarding process for Microsoft Connected Cache for ISPs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+manager: aaroncz
 author: nidos
 ms.author: nidos
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
 ms.reviewer: mstewart
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 07/07/2023
 ---
 
 # Operator sign up and service onboarding for Microsoft Connected Cache
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). 
 
  > [!NOTE]
@@ -73,7 +72,7 @@ Before you begin sign up, ensure you have the following components:
     :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
 
     > [!NOTE]
-    > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
+    > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
 
 1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
 
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index dba3bbfc15..2916abf2ef 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -1,24 +1,23 @@
 ---
 title: Support and troubleshooting
-manager: aaroncz
-description: Troubleshooting issues for Microsoft Connected Cache for ISP
+description: Troubleshooting information for commonly encountered issues for onboarding or using Microsoft Connected Cache for ISPs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: nidos
 ms.author: nidos
-ms.topic: reference
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 12/31/2017
 ---
 
 # Support and troubleshooting
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs.
 
 ## Common issues
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index ab13ed3b58..bd9f199feb 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -1,15 +1,21 @@
 ---
 title: Update or uninstall your cache node
-manager: aaroncz
-description: How to update or uninstall your cache node
+description: This article contains information on how to update or uninstall your cache node for Microsoft Connected Cache for ISPs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
-ms.collection: tier3
+ms.collection:
+  - tier3
+  - must-keep
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>	
+ms.date: 10/10/2022
 ---
 
 # Update or uninstall your cache node
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
index 9dc6e22466..eb3063a44f 100644
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -1,15 +1,18 @@
 ---
-title: Verify cache node functionality and monitor health and performance
-manager: aaroncz
-description: How to verify the functionality of a cache node
+title: Verify cache node functionality and monitor health
+titleSuffix: Microsoft Connected Cache for ISPs
+description: How to verify the functionality of a cache node, monitor health and performance, and review metrics.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: article
-ms.date: 12/31/2017
-ms.technology: itpro-updates
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/mcc-isp target=_blank>Microsoft Connected Cache for ISPs</a>
+ms.date: 02/09/2023
 ---
 
 # Verify cache node functionality and monitor health and performance
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index 7d3b9de1cc..18b1bb8b73 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -1,15 +1,18 @@
 ---
 title: Enhancing cache performance
-manager: aaroncz
-description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
+titleSuffix: Microsoft Connected Cache for ISPs
+description: This article explains how to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
+manager: aaroncz
 ms.reviewer: mstewart
-ms.topic: reference
-ms.technology: itpro-updates
-ms.date: 12/31/2017
 ms.collection: tier3
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/mcc-isp target=_blank>Microsoft Connected Cache for ISPs</a>
+ms.date: 12/31/2017
 ---
 
 # Enhancing cache performance
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index 097b922aa9..a8cdcfc4e1 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -1,30 +1,29 @@
 ---
-title: Microsoft Connected Cache for Internet Service Providers (ISPs)
-description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
+title: Microsoft Connected Cache for ISPs
+description: This article contains details about the early preview for Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
 ms.prod: windows-client
 ms.technology: itpro-updates
-ms.localizationpriority: medium
+ms.topic: how-to
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
 manager: aaroncz
-ms.topic: how-to
-ms.date: 05/20/2022
+ms.localizationpriority: medium
 ms.collection: tier3
+ms.date: 03/07/2023
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ Microsoft Connected Cache for ISPs (early preview)
 ---
 
 # Microsoft Connected Cache for Internet Service Providers (early preview)
 
-*Applies to*
-
-- Windows 10
-- Windows 11
-
-## Overview
-
 > [!IMPORTANT]
 > This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below.
 
+## Overview
+
 Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
 
 Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure.
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index d306d123f9..92ff9cd2d4 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -2,21 +2,24 @@
 metadata:
   title: Delivery Optimization Frequently Asked Questions
   description: List of frequently asked questions for Delivery Optimization.
-  ms.reviewer: mstewart
   ms.prod: windows-client
+  ms.technology: itpro-updates
+  ms.topic: faq
   author: cmknox
   ms.author: carmenf
   manager: aaroncz
-  ms.technology: itpro-updates
+  ms.reviewer: mstewart
   ms.collection:
     - highpri
     - tier3
-  ms.topic: faq
+  appliesto: 
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+    - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
   ms.date: 07/31/2023
 title: Delivery Optimization Frequently Asked Questions
 summary: |
-  **Applies to**
-  -   Windows 10 and later
+  Frequently Asked Questions for Delivery Optimization
   
 
 sections:
@@ -48,7 +51,6 @@ sections:
 
           **For the payloads (optional)**:
 
-          - `*.download.windowsupdate.com`
           - `*.windowsupdate.com`
 
           **For group peers across multiple NATs (Teredo)**:
diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md
similarity index 73%
rename from windows/deployment/do/includes/waas-delivery-optimization-monitor.md
rename to windows/deployment/do/waas-delivery-optimization-monitor.md
index 74d3a3dcb0..512f9d41b7 100644
--- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/waas-delivery-optimization-monitor.md
@@ -1,23 +1,40 @@
 ---
+title: Monitor Delivery Optimization
+description: How to monitor Delivery Optimization using either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 ms.author: carmenf
 author: cmknox
-ms.reviewer: mstewart
 manager: aaroncz
-ms.prod: windows-client
-ms.technology: itpro-deploy
-ms.topic: include
-ms.date: 07/31/2023
+ms.reviewer: mstewart
+ms.collection:
+  - tier3
 ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 08/13/2023
 ---
-<!--This file is shared by do/waas-delivery-optimization-setup.md and the update/update-compliance-get-started.md articles -->
 
-## Monitor Delivery Optimization
+# Monitor Delivery Optimization
 
-### Windows PowerShell cmdlets
+To monitor Delivery Optimization, you can use either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets.
+
+## Monitor with Windows Update for Business Delivery Optimization Report
+
+Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
+
+:::image type="content" source="../update/media/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox= "../update/media/wufb-do-overview.png":::
+
+For details, see [Windows Update for Business Delivery Optimization Report](/windows/deployment/update/wufb-reports-overview).
+
+## Windows PowerShell cmdlets
 
 **Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization.
 
-#### Analyze usage
+### Analyze usage
 
 `Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs.
 
@@ -113,7 +130,7 @@ Using the `-Verbose` option returns additional information:
 
 Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to data from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
 
-#### Manage the Delivery Optimization cache
+### Manage the Delivery Optimization cache
 
 **Starting in Windows 10, version 1903:**
 
@@ -133,7 +150,7 @@ You can now "pin" files to keep them persistent in the cache, only with files th
 - `-IncludePinnedFiles` deletes all files that are pinned.
 - `-Force` deletes the cache with no prompts.
 
-#### Work with Delivery Optimization logs
+### Work with Delivery Optimization logs
 
 **Starting in Windows 10, version 2004:**
 
@@ -184,18 +201,19 @@ The provider is listed as "Default Provider" if it's using the Delivery Optimiza
 
 The cmdlet returns the following data:
 
-- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](../waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy.
+- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy.
 - WorkingDirectory: The local folder containing the Delivery Optimization cache.
-- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy.
-- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](../waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy.
-- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](../waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
+- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy.
+- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy.
+- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
 - VpnKeywords: List of keywords used to identify a VPN adapter.
-- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy.
-- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy.
-- DownloadMode: Corresponds to the [DODownloadMode](../waas-delivery-optimization-reference.md#download-mode) policy.
-- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy.
-- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy.
-- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](../waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy.
-- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](../waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy.
-- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](../waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004).
-- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](../waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy.
+- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy.
+- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy.
+- DownloadMode: Corresponds to the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) policy.
+- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy.
+- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy.
+- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy.
+- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy.
+- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004).
+- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy.
+
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 3a85627cbd..2c3a28d13e 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -1,26 +1,25 @@
 ---
 title: Delivery Optimization reference
-manager: aaroncz
 description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: reference
 ms.technology: itpro-updates
-ms.date: 07/31/2023
-ms.collection: tier3
+ms.topic: reference
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 07/31/2023
 ---
 
 # Delivery Optimization reference
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
+> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the main spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
 There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This article summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
 
@@ -35,9 +34,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 
 | Group Policy setting | MDM setting | Supported from version | Notes |
 | --- | --- | --- | ------- |
-| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.|
-| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order.  |
-| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. |
+| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that share content between devices in the group.|
+| [Group ID](#group-id)  | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order.  |
+| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. |
 | [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to set via this policy. |
 | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
 | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
@@ -49,6 +48,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. |
 | [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. |
 | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. |
+| [VPN Keywords](#vpn-keywords) | DOVpnKeywords | 22H2 September Moment | Allows you to set one or more keywords used to recognize VPN connections. |
+| [Disallow Cache Server Downloads from VPN](#disallow-cache-server-downloads-on-vpn) | DODisallowCacheServerDownloadsOnVPN | 22H2 September Moment | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. |
 | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery.  |
 | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
 | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
@@ -134,7 +135,7 @@ Download mode dictates which download sources clients are allowed to use when do
 | Bypass (100) | Starting in Windows 11, this option is deprecated. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. If you want to disable peer-to-peer functionality, set DownloadMode to (0). If your device doesn't have internet access, set Download Mode to (99). When you set Bypass (100), the download bypasses Delivery Optimization and uses BITS instead. You don't need to set this option if you're using Configuration Manager. |
 
 > [!NOTE]
-> When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
+> When you use Microsoft Entra tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
 
 ### Group ID
 
@@ -158,9 +159,9 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 - 2 = Authenticated domain SID
 - 3 = DHCP Option ID (with this option, the client queries DHCP Option ID 234 and use the returned GUID value as the Group ID)
 - 4 = DNS Suffix
-- 5 = Starting with Windows 10, version 1903, you can use the Azure AD Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
+- 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
@@ -175,19 +176,19 @@ MDM Setting: **DOMinDiskSizeAllowedToPeer**
 This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**.
 
 >[!NOTE]
->If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
+>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check applies to the new working directory specified by this policy.
 
 ### Max Cache Age
 
 MDM Setting: **DOMaxCacheAge**
 
-In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
+In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and cleans up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
 
 ### Max Cache Size
 
 MDM Setting: **DOMaxCacheSize**
 
-This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization constantly assesses the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
 
 ### Absolute Max Cache Size
 
@@ -206,7 +207,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C
 MDM Setting: **DOMaxUploadBandwidth**
 
 Deprecated in Windows 10, version 2004.
-This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used.
 
 
 ### Maximum Foreground Download Bandwidth
@@ -256,7 +257,7 @@ MDM Setting: **DORestrictPeerSelectionBy**
 
 Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets.
 
-If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
+If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID).
 
 The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
 
@@ -276,9 +277,7 @@ Starting in Windows 10, version 1803, allows you to delay the use of an HTTP sou
 
 MDM Setting: **DelayCacheServerFallbackForeground**
 
-Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
-
-By default this policy isn't set. So,
+Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
 
 ### Delay Background Download Cache Server Fallback (in secs)
 
@@ -304,12 +303,24 @@ MDM Setting: **DOMonthlyUploadDataCap**
 
 This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.**
 
-### Enable Peer Caching while the device connects via VPN
+### Enable peer caching while the device connects via VPN
 
 MDM Setting: **DOAllowVPNPeerCaching**
 
 This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed, except when the 'Local Discovery' (DNS-SD) option is chosen.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
 
+### VPN Keywords
+
+MDM Setting: **DOVpnKeywords**
+
+This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: “VPN”, “Secure”, and “Virtual Private Network” (ex: “MSFTVPN” matches the “VPN” keyword). As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names to meet the needs of individual environments.
+
+### Disallow cache server downloads on VPN
+
+MDM Setting: **DODisallowCacheServerDownloadsOnVPN**
+
+This policy disallows downloads from Connected Cache servers when the device connects via VPN. **By default, the device is allowed to download from Connected Cache when connected via VPN.** Set this policy if you prefer devices to download directly from the Internet when connected remotely (via VPN) instead of pulling from a Microsoft Connected Cache server deployed on your corporate network.
+
 ### Allow uploads while the device is on battery while under set Battery level
 
 MDM Setting: **DOMinBatteryPercentageAllowedToUpload**
@@ -324,7 +335,7 @@ The device can download from peers while on battery regardless of this policy.
 
 MDM Setting: **DOCacheHost**
 
-Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.**
+Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the the next one. When the last server fails, it will fallback to the CDN.
 
 >[!IMPORTANT]
 > Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 550dbf7563..40c469034e 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -1,25 +1,24 @@
 ---
 title: Set up Delivery Optimization
-description: In this article, learn how to set up Delivery Optimization.
+description: In this article, learn how to set up Delivery Optimization for use by Windows clients in your organization.
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
-ms.prod: windows-client
-ms.technology: itpro-updates
-ms.localizationpriority: medium
-ms.topic: how-to
-ms.date: 12/19/2022
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
+ms.date: 08/15/2023
 ---
 
 # Set up Delivery Optimization for Windows
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 ## Set up Delivery Optimization
@@ -30,7 +29,7 @@ You find the Delivery Optimization settings in Group Policy under **Computer Con
 
 Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows).
 
-**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
+**Starting with Windows 10, version 1903**, you can use the Microsoft Entra tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5.
 
 ## Allow service endpoints
 
@@ -67,7 +66,7 @@ Quick-reference table:
 
 ### Hybrid WAN scenario
 
-For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
+For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy.
 
 In Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
 
@@ -110,17 +109,6 @@ Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** an
 
 [Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios.
 
-<!--Using include file, waas-delivery-optimization-monitor.md, for shared content on DO monitoring-->
-[!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)]
-
-### Monitor with Windows Update for Business Delivery Optimization Report
-
-Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
-
-:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png":::
-
-For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md).
-
 ## Troubleshooting
 
 This section summarizes common problems and some solutions to try.
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 14d8a8a7d9..010894a61d 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -3,25 +3,23 @@ title: What is Delivery Optimization?
 description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
 ms.prod: windows-client
 ms.technology: itpro-updates
-ms.localizationpriority: medium
+ms.topic: overview
 author: cmknox
 ms.author: carmenf
 manager: aaroncz
+ms.reviewer: mstewart
 ms.collection:
   - tier3
   - highpri
-ms.topic: overview
-ms.date: 12/31/2017
-ms.reviewer: mstewart
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 06/02/2023
 ---
 
 # What is Delivery Optimization?
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
 
 Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
@@ -64,6 +62,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
 | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: |  | :heavy_check_mark: |
 | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: |  |  |
 | MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
+| Teams (via MSIX Installer) | Windows 10 2004, Windows 11 | :heavy_check_mark: |  |  |
 
 #### Windows Server
 
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index 398ef9a635..e3c42165c0 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -1,25 +1,23 @@
 ---
 title: Microsoft Connected Cache overview
-manager: aaroncz
 description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 05/09/2023
-ms.collection: tier3
+ms.topic: overview
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 06/02/2023
 ---
 
 # What is Microsoft Connected Cache?
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > [!IMPORTANT]
 > Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md
index e8fa21b8c3..7f07d6a15f 100644
--- a/windows/deployment/do/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/do/waas-optimize-windows-10-updates.md
@@ -1,25 +1,23 @@
 ---
 title: Optimize Windows update delivery
-description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache.
+description: Learn about the two methods of peer-to-peer content distribution that are available, Delivery Optimization and BranchCache.
 ms.prod: windows-client
-ms.localizationpriority: medium
+ms.topic: conceptual
+ms.technology: itpro-updates
 ms.author: carmenf
 author: cmknox
 ms.reviewer: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
 ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 02/14/2023
 ---
 
 # Optimize Windows update delivery
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows client offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows client.
@@ -41,8 +39,8 @@ Two methods of peer-to-peer content distribution are available.
 
 | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
 | --- | --- | --- | --- | --- |
-| Delivery Optimization | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
-| BranchCache | ![no.](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
+| Delivery Optimization | Yes | Yes | Yes | Yes |
+| BranchCache | No | No |Yes | Yes |
 
 > [!NOTE]
 > Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
@@ -92,9 +90,9 @@ At this point, the download is complete and the update is ready to be installed.
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](../update/waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this article) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ✅| [Learn about updates and servicing channels](../update/waas-overview.md) |
+| ✅ | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
+| ✅ | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
+| ✅| [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
+| ✅ | Optimize update delivery for Windows 10 updates (this article) |
+|  | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 6236a48963..7c18691ae6 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -1,25 +1,24 @@
 ---
 title: What's new in Delivery Optimization
-manager: aaroncz
 description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
 ms.prod: windows-client
-author: cmknox
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
-ms.collection: tier3
+ms.topic: conceptual
+author: cmknox
+ms.author: carmenf
+manager: aaroncz
 ms.reviewer: mstewart
+ms.collection: tier3
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 06/02/2023
 ---
 
 # What's new in Delivery Optimization
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+This article contains information about what's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
 ## Microsoft Connected Cache (early preview)
 
 Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
@@ -33,10 +32,12 @@ There are two different versions:
 
 ## New in Delivery Optimization for Windows
 
-- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2.
+### Windows 11 22H2
 
-- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)."
-- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
+- New setting: Customize vpn detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your Vpn. By using the new VpnKeywords configuration you can add keywords for Delivery Optimization to use when detecting a Vpn when in use. You can find this configuration **[VPN Keywords](waas-delivery-optimization-reference.md#vpn-keywords)** in Group Policy or MDM under **DOVpnKeywords**.
+- New setting: Use the disallow downloads from a connected cache server, when a Vpn is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from MCC over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn) in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**.
+- Delivery Optimization introduced support for receiver side ledbat (rLedbat).
+- New setting: Local Peer Discovery, a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** in Group Policy or MDM **DORestrictPeerSelectionBy**. This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2).
 
 > [!NOTE]
 > The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index d718ec36aa..c9f6a5f653 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -58,7 +58,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/deployment/images/volumeactivationforwindows81-04.jpg b/windows/deployment/images/volumeactivationforwindows81-04.jpg
deleted file mode 100644
index d5b572f1aa..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-04.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-05.jpg b/windows/deployment/images/volumeactivationforwindows81-05.jpg
deleted file mode 100644
index a4bd9776ac..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-05.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-06.jpg b/windows/deployment/images/volumeactivationforwindows81-06.jpg
deleted file mode 100644
index c29a628b05..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-06.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-07.jpg b/windows/deployment/images/volumeactivationforwindows81-07.jpg
deleted file mode 100644
index 346cbaa5c1..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-07.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-08.jpg b/windows/deployment/images/volumeactivationforwindows81-08.jpg
deleted file mode 100644
index eff421d6bb..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-08.jpg and /dev/null differ
diff --git a/windows/deployment/images/volumeactivationforwindows81-09.jpg b/windows/deployment/images/volumeactivationforwindows81-09.jpg
deleted file mode 100644
index 1e3cf9c0d8..0000000000
Binary files a/windows/deployment/images/volumeactivationforwindows81-09.jpg and /dev/null differ
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 2a900b672d..b3911601ff 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -23,7 +23,7 @@ For many years, organizations have deployed new versions of Windows using a "wip
 
 Windows 10 also introduces two additional scenarios that organizations should consider:
 
--   **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
+-   **In-place upgrade**, which provides a simple, automated process that uses the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
 
 -   **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
 
@@ -33,8 +33,8 @@ Windows 10 also introduces two additional scenarios that organizations should co
 
 | Consider ... | For these scenarios  |
 |---|---|
-| In-place upgrade  | - When you want to keep all (or at least most) existing applications<br/>- When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)<br/>- To migrate from Windows 10 to a later Windows 10 release |
-| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS<br/>- When you make significant device or operating system configuration changes<br/>- When you "start clean". For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs<br/>- When you migrate from Windows Vista or other previous operating system versions |
+| In-place upgrade  | - When you want to keep all (or at least most) existing applications<br/>- When you don't plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)<br/>- To migrate from Windows 10 to a later Windows 10 release |
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS<br/>- When you make significant device or operating system configuration changes<br/>- When you "start clean". For example, scenarios where it isn't necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs<br/>- When you migrate from Windows Vista or other previous operating system versions |
 | Dynamic provisioning | - For new devices, especially in "choose your own device" scenarios when simple configuration (not reimaging) is all that is required. <br/>- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
 
 ## Migration from previous Windows versions
@@ -45,19 +45,19 @@ The original Windows 8 release was only supported until January 2016. For device
 
 For PCs running operating systems older than Windows 7, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
 
-For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
+For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be used (with in-place upgrade being the preferred method, as previously discussed).
 
-For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
+For organizations that didn't take advantage of the free upgrade offer and aren't enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
 
 ## Setting up new computers
 
-For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
+For new computers acquired with Windows 10 preinstalled, you can use dynamic provisioning scenarios to transform the device from its initial state into a fully configured organization PC. There are two primary dynamic provisioning scenarios you can use:
 
--   **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+-   **User-driven, from the cloud.** By joining a device into Microsoft Entra ID and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Microsoft Entra account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully configured organization PC. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
--   **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+-   **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
 
-In either of these scenarios, you can make a variety of configuration changes to the PC:
+In either of these scenarios, you can make various configuration changes to the PC:
 
 -   Transform the edition (SKU) of Windows 10 that is in use.
 -   Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
@@ -66,18 +66,18 @@ In either of these scenarios, you can make a variety of configuration changes to
 
 ## Stay up to date
 
-For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using various methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
--   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). 
+-   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they're approved (deploying like an update). 
 -   Configuration Manager task sequences.
 -   Configuration Manager software update capabilities (deploying like an update).
 
-These upgrades (which are installed differently than monthly updates) leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
+These upgrades (which are installed differently than monthly updates) use an in-place upgrade process. Unlike updates, which are relatively small, these upgrades include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
 
 The upgrade process is also optimized to reduce the overall time and network bandwidth consumed.
 
-## Related topics
+## Related articles
 
 [Windows 10 compatibility](windows-10-compatibility.md)<br>
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index d20d9c067f..f49339b0fd 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -37,7 +37,7 @@ Save your files to your favorite cloud, like OneDrive or Dropbox, and access the
 
 Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.
 
-Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
+Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Microsoft Entra tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
 
 For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.
 
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index a0f9346acc..72d37a8849 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -2,20 +2,23 @@
 title: Windows Updates using forward and reverse differentials
 description: A technique to produce compact software updates optimized for any origin and destination revision pair
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 08/21/2021
 ---
 
 # Windows Updates using forward and reverse differentials
 
-Windows 10 monthly quality updates are cumulative, containing all previously
+Windows monthly quality updates are cumulative, containing all previously
 released fixes to ensure consistency and simplicity. For an operating system
-platform like Windows 10, which stays in support for multiple years, the size of
+platform like Windows, which stays in support for multiple years, the size of
 monthly quality updates can quickly grow large, thus directly impacting network
 bandwidth consumption.
 
@@ -23,8 +26,8 @@ Today, this problem is addressed by using express downloads, where differential
 downloads for every changed file in the update are generated based on selected
 historical revisions plus the base version. In this paper, we introduce a new
 technique to build compact software update packages that are applicable to any
-revision of the base version, and then describe how Windows 10 quality updates
-uses this technique.
+revision of the base version, and then describe how Windows quality updates
+use this technique.
 
 ## General Terms
 
@@ -65,45 +68,44 @@ numerous advantages:
 - Efficient to install
 - Redistributable
 
-Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
+Historically, download sizes of Windows quality updates (Windows 10, version 1803 and older supported versions of Windows 10) were optimized by using express download. Express download is optimized such that updating Windows systems download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
 
-For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
+For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as express download files) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device applying express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
 
-The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
+The flip side of express download is that the size of PSF files can be large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they're unable to use express updates to keep their fleet of devices running Windows up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it's only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
 
-In the following sections, we describe how Windows 10 quality updates will leverage this technique based on forward and reverse differentials for newer releases of Windows 10 and Windows Server to overcome the challenges with express downloads.
+In the following sections, we describe how quality updates use this technique based on forward and reverse differentials for newer releases of Windows  and Windows Server to overcome the challenges with express downloads.
 
 ## High-level Design
 
 ### Update packaging
 
-Windows 10 quality update packages will contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices will have an identical payload. Update package metadata, content manifests, and forward and reverse differentials will be packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
+Windows quality update packages contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices have an identical payload. Update package metadata, content manifests, and forward and reverse differentials are packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
 
-There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer:
+There can be cases where new files are added to the system during servicing. These files won't have RTM baselines, thus forward and reverse differentials can't be used. In these scenarios, null differentials are used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows quality update installer:
 
 ![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.).](images/PSF4.png)
 
 ### Hydration and installation 
 
-Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure will hydrate the full files during pre-installation and then proceed with the usual installation process.
+Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure hydrates the full files during preinstallation and then proceeds with the usual installation process.
 
-Below is a high-level sequence of activities that the component servicing infrastructure will run in a transaction to complete installation of the update:
+Below is a high-level sequence of activities that the component servicing infrastructure runs in a transaction to complete installation of the update:
 
 - Identify all files that are required to install the update.
 - Hydrate each of necessary files using current version (V<sub>N</sub>) of the file, reverse differential (V<sub>N</sub>--->RTM) of the file back to quality update RTM/base version and forward differential (V<sub>RTM</sub>--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files.
-- Stage the hydrated files (full file), forward differentials (under ‘f’ folder) and reverse differentials (under ‘r’ folder) or null compressed files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder).
+- Stage the hydrated files (full file), forward differentials (under `f` folder) and reverse differentials (under `r` folder) or null compressed files (under `n` folder) in the component store (%windir%\\WinSxS folder).
 - Resolve any dependencies and install components.
 - Clean up older state (V<sub>N-1</sub>); the previous state V<sub>N</sub> is retained for uninstallation and restoration or repair.
 
 ### **Resilient Hydration**
 
-To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (“automatic corruption repair”) or on demand (“manual corruption repair”) using an online or local repair source. This service will continue to offer the ability to repair and recover content for
-hydration and successfully install an update, if needed.
+To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (automatic corruption repair) or on demand (manual corruption repair) using an online or local repair source. This service will continue to offer the ability to repair and recover content for hydration and successfully install an update, if needed.
 
-When corruption is detected during update operations, automatic corruption repair will start as usual and use the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files will contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
+When corruption is detected during update operations, automatic corruption repair starts as usual and uses the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
 
-Corruption repair will use the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine will be set. When automatic corruption repair runs, it will scan hydrated files using the manifest and differential files using the flags. If the differential cannot be found or verified, it will be added to the list of corruptions to repair.
+Corruption repair uses the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine are set. When automatic corruption repair runs, it scans hydrated files using the manifest and differential files using the flags. If the differential can't be found or verified, it's added to the list of corruptions to repair.
 
 ### Lazy automatic corruption repair
 
-“Lazy automatic corruption repair” runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.
+"Lazy automatic corruption repair" runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index c77bd7cf97..ba7b6d264d 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -1,14 +1,19 @@
 ---
 title: How to check Windows release health
 description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
-ms.date: 06/07/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: mstewart
 author: mestew
 manager: aaroncz
-ms.reviewer: mstewart
-ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-updates
+ms.collection:
+  - tier2
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 09/08/2023
 ---
 
 # How to check Windows release health
@@ -31,7 +36,7 @@ Ensure the following prerequisites are met to display the Windows release health
    - Most roles containing the word `administrator` give you access to the Windows release health page such as [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator), and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
 
 > [!NOTE]
-> Currently, Windows release health isn't available for Government Community Cloud (GCC) tenants.
+> Currently, Windows release health is available for Government Community Cloud (GCC) tenants, but isn't available for GCC High and DoD. <!--8337541-->
 
 ## How to review Windows release health information
 
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 0f0a693609..89a981ff58 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -1,28 +1,28 @@
 ---
 title: Create a deployment plan
-description: Devise the number of deployment rings you need and how you want to populate them
+description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.collection:
+  - tier2
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Create a deployment plan
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
 A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
 
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
 
-At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
+At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
 
 A common ring structure uses three deployment groups:
 
@@ -31,7 +31,7 @@ A common ring structure uses three deployment groups:
 - Broad: Wide deployment
 
 > [!NOTE]
-> Organizations often use different names for their “rings," for example:
+> Organizations often use different names for their rings, for example:
 > - First > Fast > Broad
 > - Canaries > Early Adopters > Users
 > - Preview > Broad > Critical
@@ -45,8 +45,8 @@ There are no definite rules for exactly how many rings to have for your deployme
 
 There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
 
-- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution.
-- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring.
+- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
+- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
 
 When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal. 
 
@@ -84,7 +84,7 @@ Analytics can help with defining a good Limited ring of representative devices a
 
 ### Who goes in the Limited ring?
 
-The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network.
+The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
 
 
 During your pilot and validate phases, you should focus on the following activities:
@@ -93,11 +93,11 @@ During your pilot and validate phases, you should focus on the following activit
 - Assess and act if issues are encountered.
 - Move forward unless blocked.
 
-When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
+When you deploy to the Limited ring, you'll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
 
 ## Broad deployment
 
-Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network.
+Once the devices in the Limited ring have had a sufficient stabilization period, it's time for broad deployment across the network.
 
 ### Who goes in the Broad deployment ring?
 
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 15d3739ce1..4373f59f58 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -1,19 +1,24 @@
 ---
-title: Deploy drivers and firmware updates with Windows Update for Business deployment service.
-description: Use Windows Update for Business deployment service to deploy driver and firmware updates. 
+title: Deploy drivers and firmware updates
+titleSuffix: Windows Update for Business deployment service 
+description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.collection:
+  - tier1
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 06/22/2023
 ---
 
 # Deploy drivers and firmware updates with Windows Update for Business deployment service
 <!--7260403, 7512398-->
-***(Applies to: Windows 11 & Windows 10)***
 
 The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). 
 
@@ -182,7 +187,7 @@ content-type: application/json
 Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information:
 
 - An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry)
-- The **Azure AD ID** of the devices it's applicable to
+- The **Microsoft Entra ID** of the devices it's applicable to
 - Information describing the update such as the name and version.
 
 To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the  **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`:  
@@ -192,7 +197,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d
 ```
 
 The following truncated response displays:
-  - An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef`
+  - An **Microsoft Entra ID** of `01234567-89ab-cdef-0123-456789abcdef`
   - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`  
 
       ```json
@@ -332,4 +337,4 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=c
 ## Policy considerations for drivers
 
 <!--Using include for Policy considerations for drivers-->
-[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
\ No newline at end of file
+[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md
index 14b6fec38a..9279a5e9d4 100644
--- a/windows/deployment/update/deployment-service-expedited-updates.md
+++ b/windows/deployment/update/deployment-service-expedited-updates.md
@@ -1,20 +1,24 @@
 ---
-title: Deploy expedited updates with Windows Update for Business deployment service
-description: Use Windows Update for Business deployment service to deploy expedited updates.
+title: Deploy expedited updates
+titleSuffix: Windows Update for Business deployment service
+description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization. 
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 02/14/2023
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+  - tier1
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 08/29/2023
 ---
 
 # Deploy expedited updates with Windows Update for Business deployment service
-
 <!--7512398-->
-***(Applies to: Windows 11 & Windows 10)***
 
 In this article, you will:
 > [!div class="checklist"]
@@ -47,13 +51,13 @@ All of the [prerequisites for the Windows Update for Business deployment service
 
 ## List catalog entries for expedited updates
 
-Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates.
+Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=1` and ordering by `ReleaseDateTimeshows` displays the most recent update that can be deployed as expedited.
 
 ```msgraph-interactive
-GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3
+GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=1
 ```
 
-The following truncated response displays a **Catalog ID** of  `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update:
+The following truncated response displays a **Catalog ID** of  `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5` for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update:
 
 ```json
 {
@@ -61,21 +65,119 @@ The following truncated response displays a **Catalog ID** of  `693fafea03c24cca
     "value": [
         {
             "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
-            "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
-            "displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later",
+            "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
+            "displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
             "deployableUntilDateTime": null,
-            "releaseDateTime": "2023-01-10T00:00:00Z",
+            "releaseDateTime": "2023-08-08T00:00:00Z",
             "isExpeditable": true,
-            "qualityUpdateClassification": "security"
-        },
-        ...
+            "qualityUpdateClassification": "security",
+            "catalogName": "2023-08 Cumulative Update for Windows 10 and later",
+            "shortName": "2023.08 B",
+            "qualityUpdateCadence": "monthly",
+            "cveSeverityInformation": {
+                "maxSeverity": "critical",
+                "maxBaseScore": 9.8,
+                "exploitedCves@odata.context": "https://graph.microsoft.com/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
+                "exploitedCves": [
+                    {
+                        "number": "ADV230003",
+                        "url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
+                    },
+                    {
+                        "number": "CVE-2023-38180",
+                        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
+                    }
+                ]
+            }
+        }
     ]
 }
 ```
 
+The deployment service can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers. 
+<!--8092737-->
+Use the following to display the product revision information for the most recent quality update:
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc&$top=1
+```
+
+
+The following truncated response displays information about KB5029244 for Windows 10, version 22H2, and KB5029263 for Windows 11, version 22H2:
+
+```json
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries(microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions())",
+    "value": [
+        {
+            "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
+            "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
+            "displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
+            "deployableUntilDateTime": null,
+            "releaseDateTime": "2023-08-08T00:00:00Z",
+            "isExpeditable": true,
+            "qualityUpdateClassification": "security",
+            "catalogName": "2023-08 Cumulative Update for Windows 10 and later",
+            "shortName": "2023.08 B",
+            "qualityUpdateCadence": "monthly",
+            "cveSeverityInformation": {
+                "maxSeverity": "critical",
+                "maxBaseScore": 9.8,
+                "exploitedCves@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
+                "exploitedCves": [
+                    {
+                        "number": "ADV230003",
+                        "url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
+                    },
+                    {
+                        "number": "CVE-2023-38180",
+                        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
+                    }
+                ]
+            },
+            "productRevisions@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions",
+            "productRevisions": [
+                {
+                    "id": "10.0.19045.3324",
+                    "displayName": "Windows 10, version 22H2, build 19045.3324",
+                    "releaseDateTime": "2023-08-08T00:00:00Z",
+                    "version": "22H2",
+                    "product": "Windows 10",
+                    "osBuild": {
+                        "majorVersion": 10,
+                        "minorVersion": 0,
+                        "buildNumber": 19045,
+                        "updateBuildRevision": 3324
+                    },
+                    "knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.19045.3324')/knowledgeBaseArticle/$entity",
+                    "knowledgeBaseArticle": {
+                        "id": "KB5029244",
+                        "url": "https://support.microsoft.com/help/5029244"
+                    }
+                },
+                {
+                    "id": "10.0.22621.2134",
+                    "displayName": "Windows 11, version 22H2, build 22621.2134",
+                    "releaseDateTime": "2023-08-08T00:00:00Z",
+                    "version": "22H2",
+                    "product": "Windows 11",
+                    "osBuild": {
+                        "majorVersion": 10,
+                        "minorVersion": 0,
+                        "buildNumber": 22621,
+                        "updateBuildRevision": 2134
+                    },
+                    "knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.22621.2134')/knowledgeBaseArticle/$entity",
+                    "knowledgeBaseArticle": {
+                        "id": "KB5029263",
+                        "url": "https://support.microsoft.com/help/5029263"
+                    }
+                },
+```
+
 ## Create a deployment
 
-When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body.
+When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update with catalog entry ID `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5`, and defines the `expedite` and `userExperience` deployment options in the request body.
 
 ```msgraph-interactive
 POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
@@ -87,7 +189,7 @@ content-type: application/json
         "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
         "catalogEntry": {
             "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
-            "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432"
+            "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5"
         }
     },
     "settings": {
@@ -154,7 +256,7 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
 
 The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited.
 
-The following example adds two devices to the deployment audience using the **Azure AD ID** for each device:
+The following example adds two devices to the deployment audience using the **Microsoft Entra ID** for each device:
 
 ```msgraph-interactive
 POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
@@ -193,4 +295,4 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e
 
 
 <!--Using include for Update Health Tools log location-->
-[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
\ No newline at end of file
+[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md
index b1a289befa..070ecd8914 100644
--- a/windows/deployment/update/deployment-service-feature-updates.md
+++ b/windows/deployment/update/deployment-service-feature-updates.md
@@ -1,20 +1,24 @@
 ---
-title: Deploy feature updates with Windows Update for Business deployment service.
-description: Use Windows Update for Business deployment service to deploy feature updates. 
+title: Deploy feature updates 
+titleSuffix: Windows Update for Business deployment service
+description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization. 
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 02/14/2023
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+  - tier1
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 08/29/2023
 ---
 
 # Deploy feature updates with Windows Update for Business deployment service
 <!--7512398-->
-***(Applies to: Windows 11 & Windows 10)***
-
 The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). 
 
 This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will:
@@ -57,7 +61,7 @@ When you enroll devices into feature update management, the deployment service b
 As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version.
 
 > [!TIP]
-> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
+> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Microsoft Entra ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
 
 <!--Using include for enrolling devices using Graph Explorer-->
 [!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)]
@@ -82,7 +86,8 @@ The following truncated response displays a **Catalog ID** of  `d9049ddb-0ca8-4b
             "displayName": "Windows 11, version 22H2",
             "deployableUntilDateTime": "2025-10-14T00:00:00Z",
             "releaseDateTime": "2022-09-20T00:00:00Z",
-            "version": "Windows 11, version 22H2"
+            "version": "Windows 11, version 22H2",
+            "buildNumber": "22621"
         }
     ]
 }
@@ -225,7 +230,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-
 
 The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered. 
 
-The following example adds three devices to the deployment audience using the **Azure AD ID** for each device:
+The following example adds three devices to the deployment audience using the **Microsoft Entra ID** for each device:
 
    ```msgraph-interactive
    POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4b8e52781b..58d36aae43 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -1,20 +1,24 @@
 ---
-title: Windows Update for Business deployment service
-description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates
+title: Overview of the deployment service
+titleSuffix: Windows Update for Business deployment service
+description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service.
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: overview
 ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+  - tier1
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 02/14/2023
 ---
 
 # Windows Update for Business deployment service
 
-***(Applies to: Windows 11 & Windows 10)***
-
 The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications.
 
 Windows Update for Business product family has three elements:
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index ad489103a6..d4dbc2e5e1 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -1,28 +1,34 @@
 ---
-title: Prerequisites for the Windows Update for Business deployment service
-description: Prerequisites for using the Windows Update for Business deployment service. 
+title: Prerequisites for the deployment service
+titleSuffix: Windows Update for Business deployment service
+description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization. 
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
 ms.technology: itpro-updates
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+  - tier1
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 02/14/2023
 ---
 
 # Windows Update for Business deployment service prerequisites
 <!--7512398-->
-***(Applies to: Windows 11 & Windows 10)***
-
 Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
 
-## Azure and Azure Active Directory
+<a name='azure-and-azure-active-directory'></a>
 
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- Devices must be Azure Active Directory-joined and meet the below OSrequirements.
-  - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-  - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
+## Azure and Microsoft Entra ID
+
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/)
+- Devices must be Microsoft Entra joined and meet the below OSrequirements.
+  - Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+  - Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
 
 ## Licensing
 
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index f6be148c37..65a6b7777a 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -1,22 +1,24 @@
 ---
-title: Troubleshoot the Windows Update for Business deployment service
-description: Solutions to common problems with the service
+title: Troubleshoot the deployment service
+titleSuffix: Windows Update for Business deployment service
+description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service.
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-manager: aaroncz
-ms.topic: article
 ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.topic: troubleshooting
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+  - tier1
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 02/14/2023
 ---
 
-
-
 # Troubleshoot the Windows Update for Business deployment service
 
-***(Applies to: Windows 11 & Windows 10)***
-
 This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json).
 
 ## The device isn't receiving an update that I deployed
@@ -25,13 +27,13 @@ This troubleshooting guide addresses the most common issues that IT administrato
 - **Feature updates only**: The device might have a safeguard hold applied for the given feature update version. For more about safeguard holds, see [Safeguard holds](safeguard-holds.md) and [Opt out of safeguard holds](safeguard-opt-out.md).
 - Check that the deployment to which the device is assigned has the state *offering*. Deployments that have the states *paused* or *scheduled* won't deploy content to devices.
 - Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
-- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
 -  **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`.
 
 ## The device is receiving an update that I didn't deploy
 
 - Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
-- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
 
 ### The device installed a newer update then the expedited update I deployed
 
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 4a20d28511..6a83bab027 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,23 +1,21 @@
 ---
 title: Evaluate infrastructure and tools
-description: Steps to make sure your infrastructure is ready to deploy updates
+description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: article
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Evaluate infrastructure and tools
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
 Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
 
 ## Infrastructure
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 1385930bef..41a21d5d7c 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,20 +1,21 @@
 ---
-title: Best practices - deploy feature updates for user-initiated installations
+title: Best practices - user-initiated feature update installation
 description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
-ms.date: 07/10/2018
-manager: aaroncz
-ms.topic: article
 ms.technology: itpro-updates
+ms.topic: best-practice
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
+ms.date: 07/10/2018
 ---
 
 # Deploy feature updates for user-initiated installations (during a fixed service window)
 
-**Applies to**: Windows 10
-
 Use the following steps to deploy a feature update for a user-initiated installation.
 
 ## Get ready to deploy feature updates
@@ -22,7 +23,7 @@ Use the following steps to deploy a feature update for a user-initiated installa
 ### Step 1: Enable Peer Cache
 Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
 
-[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). 
+[Enable Configuration Manager client in full OS to share content](/mem/configmgr/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). 
 
 ### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
 
@@ -35,7 +36,7 @@ If you're deploying **Feature update to Windows 10, version 1709** or later, by
 Priority=Normal
 ```
 
-You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. 
+You can use the new [Run Scripts](/mem/configmgr/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. 
 
 ```
 #Parameters
@@ -80,7 +81,7 @@ or documentation, even if Microsoft has been advised of the possibility of such
 ```
 
 >[!NOTE]
->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. 
+> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/mem/configmgr/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. 
 
 ## Manually deploy feature updates in a user-initiated installation
 
@@ -89,77 +90,73 @@ The following sections provide the steps to manually deploy a feature update.
 ### Step 1: Specify search criteria for feature updates
 There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy. 
 
-1. In the Configuration Manager console, click **Software Library**. 
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 
+1. In the Configuration Manager console, select **Software Library**. 
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. The synchronized feature updates are displayed. 
 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
-   - In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. 
-   - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
+   - In the **search** text box, type a search string that filters for the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. 
+   - Select **Add Criteria**, select the criteria that you want to use to filter software updates, select **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
 
 4. Save the search for future use. 
 
 ### Step 2: Download the content for the feature update(s)
-Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. 
+Before you deploy the feature updates, you can download the content as a separate step. Do this download so you can verify that the content is available on the distribution points before you deploy the feature updates. Downloading first helps you avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. 
 
 1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. 
-2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
+2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right-click, and select **Download**.
 
    The **Download Software Updates Wizard** opens. 
 3. On the **Deployment Package** page, configure the following settings: 
    **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: 
-   - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. 
+   - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It's limited to 50 characters. 
    - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. 
-   - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. 
+   - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or select **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. 
 
-     >[!NOTE]
-     >The deployment package source location that you specify cannot be used by another software deployment package. 
+     > [!IMPORTANT]
+     > - The deployment package source location that you specify cannot be used by another software deployment package. 
+     > - The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. 
+     > - You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. 
 
-     >[!IMPORTANT]
-     >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. 
-
-     >[!IMPORTANT]
-     >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. 
-
-   Click **Next**. 
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). 
+   Select **Next**. 
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then select **Next**. For more information about distribution points, see [Distribution point configurations](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). 
 
    >[!NOTE]
-   >The Distribution Points page is available only when you create a new software update deployment package. 
+   > The Distribution Points page is available only when you create a new software update deployment package. 
 5. On the **Distribution Settings** page, specify the following settings: 
 
-   - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. 
-   - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 
+   - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority. By default, packages are sent using Medium priority. 
+   - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content isn't available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios). 
    - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: 
      - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. 
      - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
-     - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. 
+     - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This setting is the default. 
       
-     For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). 
-   Click **Next**. 
+     For more information about prestaging content to distribution points, see [Use Prestaged content](/mem/configmgr/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). 
+   Select **Next**. 
 6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: 
 
    - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
-   - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. 
+   - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard doesn't have Internet access. 
    
      >[!NOTE]
-     >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
+     > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
 
-   Click **Next**. 
-7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. 
-8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 
-9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**. 
+   Select **Next**. 
+7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then select **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. 
+8. On the **Summary** page, verify the settings that you selected in the wizard, and then select **Next** to download the software updates. 
+9. On the **Completion** page, verify that the software updates were successfully downloaded, and then select **Close**. 
 
 #### To monitor content status
-1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. 
-2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. 
+1. To monitor the content status for the feature updates, select **Monitoring** in the Configuration Manager console. 
+2. In the Monitoring workspace, expand **Distribution Status**, and then select **Content Status**. 
 3. Select the feature update package that you previously identified to download the feature updates. 
-4. On the **Home** tab, in the Content group, click **View Status**.
+4. On the **Home** tab, in the Content group, select **View Status**.
 
 ### Step 3: Deploy the feature update(s) 
 After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). 
 
-1. In the Configuration Manager console, click **Software Library**. 
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 
-3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
+1. In the Configuration Manager console, select **Software Library**. 
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. 
+3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right select, and select **Deploy**.
 
    The **Deploy Software Updates Wizard** opens. 
 4. On the General page, configure the following settings: 
@@ -178,7 +175,7 @@ After you determine which feature updates you intend to deploy, you can manually
      >[!NOTE]
      >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured.
 
-   - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**. 
+   - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that don't require any software updates in the deployment aren't started. By default, this setting isn't enabled and is available only when **Type of deployment** is set to **Required**. 
 
      >[!WARNING]
      >Before you can use this option, computers and networks must be configured for Wake On LAN. 
@@ -189,7 +186,7 @@ After you determine which feature updates you intend to deploy, you can manually
    - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. 
    
    - **Software available time**: Select **Specific time** to specify when the software updates will be available to clients:
-     - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded.
+     - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment isn't available for installation until after the specified date and time are reached and the required content has been downloaded.
  
    - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. 
    
@@ -198,7 +195,7 @@ After you determine which feature updates you intend to deploy, you can manually
 
      - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. 
 
-     Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated.
+     Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients start downloading the content based on a randomized time. The feature update won't be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation starts immediately when initiated.
 
 7. On the User Experience page, configure the following settings: 
    - **User notifications**: Specify **Display in Software Center and show all notifications**. 
@@ -214,25 +211,25 @@ After you determine which feature updates you intend to deploy, you can manually
      >[!NOTE]
      >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 
    - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. 
-8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
+8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
 
    >[!NOTE]
    >You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace. 
 9. On the Download Settings page, configure the following settings: 
    - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. 
-   - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. 
-   - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). 
-   - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
+   - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates isn't available on a preferred distribution point. 
+   - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). 
+   - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates aren't available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
    - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. 
 
      >[!NOTE]
-     >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 
-10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 
-11. Click **Next** to deploy the feature update(s). 
+     >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios). 
+10. On the Summary page, review the settings. To save the settings to a deployment template, select **Save As Template**, enter a name and select the settings that you want to include in the template, and then select **Save**. To change a configured setting, select the associated wizard page and change the setting. 
+11. Select **Next** to deploy the feature update(s). 
 
 ### Step 4: Monitor the deployment status
 After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
 
 1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. 
-2. Click the software update group or software update for which you want to monitor the deployment status. 
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
+2. Select the software update group or software update for which you want to monitor the deployment status. 
+3. On the **Home** tab, in the **Deployment** group, select **View Status**.
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 2978105443..972dd73a69 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,21 +1,26 @@
 ---
-title: Make FoD and language packs available for WSUS/Configuration Manager
-description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
+title: FoD and language packs for WSUS and Configuration Manager
+description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: mstewart
 author: mestew
 ms.localizationpriority: medium
-ms.date: 03/13/2019
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
+- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
+ms.date: 03/13/2019
 ---
+
 # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
 
-**Applies to**
+This article describes how to make Features on Demand and language packs available when you're using WSUS or Configuration Manager for specific versions of Windows.
 
--   Windows 10
--   Windows 11
+## Version information for Features on Demand and language packs
 
 In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
 
@@ -23,10 +28,15 @@ As of Windows 10 version 1709, you can't use Windows Server Update Services (WSU
 
 The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
 
-In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location.  Changing this policy on these OS versions does not influence how language packs are acquired.
+In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location.  Changing this policy on these OS versions doesn't influence how language packs are acquired.
 
 In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
 
-For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
+For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
 
 Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
+
+## More resources
+
+- [WSUS documentation](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
+- [Configuration Manager documentation](/mem/configmgr/)
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index bb423208bf..5dc206f1aa 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,23 +1,22 @@
 ---
 title: Windows client updates, channels, and tools
-description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
+description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Windows client updates, channels, and tools
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+This article provides a brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them.
 ## How Windows updates work
 
 There are four phases to the Windows update process:
@@ -26,18 +25,18 @@ There are four phases to the Windows update process:
 administrator. This process is invisible to the user.
 - **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple
 sequential phases.
-- **Install:** After the update is downloaded, depending on the device’s Windows Update settings, the update is installed on the system.
+- **Install:** After the update is downloaded, depending on the device's Windows Update settings, the update is installed on the system.
 - **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous
 version of the software.
 
 ## Types of updates
 
-We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. 
+We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. 
 
-- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
-- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
-- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
-- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
+- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they're delivered frequently (rather than every 3-5 years), they're easier to manage.
+- **Quality updates:** Quality updates deliver both security and nonsecurity fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They're typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
+- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates aren't necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
+- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they're installed or not.
 - **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
 
 
@@ -50,13 +49,14 @@ The first step of controlling when and how devices install updates is assigning
 
 ### General Availability Channel
 
-In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
+In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel installs a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
 
 
 ### Windows Insider Program for Business
 
-Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
+Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are options within the Windows Insider Program for Business channel:
 
+- Windows Insider Canary
 - Windows Insider Dev
 - Windows Insider Beta
 - Windows Insider Release Preview
@@ -73,12 +73,12 @@ The General Availability Channel is the default servicing channel for all Window
 
 | Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel |
 | --- | --- | --- | --- |
-| Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png)    | ![no](images/crossmark.png)|
-| Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
-| Enterprise  | ![yes.](images/checkmark.png) |![yes](images/checkmark.png)  |  ![no](images/crossmark.png)|
-| Enterprise LTSC  | ![no.](images/crossmark.png) |![no](images/crossmark.png) |   ![yes](images/checkmark.png)|
-| Pro Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
-| Education  | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Home | Yes|No    | No|
+| Pro | Yes | Yes |  No|
+| Enterprise  | Yes |Yes  |  No|
+| Enterprise LTSC  | No |No |   Yes|
+| Pro Education | Yes | Yes |  No|
+| Education  | Yes | Yes |  No|
 
 ## Servicing tools
 
@@ -104,4 +104,4 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
 
 ### Hybrid scenarios
 
-It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
+It's also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 907f34dd28..ef02459999 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,47 +1,38 @@
 ---
 title: How Windows Update works
-description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
+description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # How Windows Update works
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
 The Windows Update workflow has four core areas of functionality: 
 
-### Scan
-
-1. Orchestrator schedules the scan.
-2. Orchestrator verifies admin approvals and policies for download.
-
-
-### Download
-1. Orchestrator starts downloads.
-2. Windows Update downloads manifest files and provides them to the arbiter.
-3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
-4. Windows Update client downloads files in a temporary folder.
-5. The arbiter stages the downloaded files.
-
-
-### Install
-1. Orchestrator starts the installation.
-2. The arbiter calls the installer to install the package.
-
-
-### Commit
-1. Orchestrator starts a restart.
-2. The arbiter finalizes before the restart.
+1. Scan
+   1. Orchestrator schedules the scan.
+   1. Orchestrator verifies admin approvals and policies for download.
+1. Download
+   1. Orchestrator starts downloads.
+   1. Windows Update downloads manifest files and provides them to the arbiter.
+   1. The arbiter evaluates the manifest and tells the Windows Update client to download files.
+   1. Windows Update client downloads files in a temporary folder.
+   1. The arbiter stages the downloaded files.
+1. Install
+   1. Orchestrator starts the installation.
+   1. The arbiter calls the installer to install the package.
+1. Commit
+   1. Orchestrator starts a restart.
+   1. The arbiter finalizes before the restart.
 
 
 ## How updating works 
@@ -52,7 +43,7 @@ During the updating process, the Windows Update Orchestrator operates in the bac
 
 The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.  
 
-When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. 
+When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. 
 
 Make sure you're familiar with the following terminology related to Windows Update scan:
 
@@ -61,8 +52,8 @@ Make sure you're familiar with the following terminology related to Windows Upda
 |Update|We use this term to mean several different things, but in this context it's the actual updated code or change.| 
 |Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| 
 |Child update|Leaf update that's bundled by another update; contains payload.| 
-|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| 
-|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. |
+|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.| 
+|Category update|A special `detectoid` that has an `IsInstalled` rule that is always true. Used for grouping updates and allowing the device to filter updates. |
 |Full scan|Scan with empty datastore.| 
 |Delta scan|Scan with updates from previous scan already cached in datastore.| 
 |Online scan|Scan that uses the network and to check an update server. |
@@ -80,7 +71,7 @@ Windows Update does the following actions when it runs a scan.
 #### Starts the scan for updates  
 When users start scanning in Windows Update through the Settings panel, the following occurs:  
 
-- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. 
+- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. 
 - "Agent" messages: queueing the scan, then actually starting the work: 
    - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. 
    - Windows Update uses the thread ID filtering to concentrate on one particular task. 
@@ -88,9 +79,9 @@ When users start scanning in Windows Update through the Settings panel, the foll
       ![Windows Update scan log 1.](images/update-scan-log-1.png)
       
 #### Proxy Behavior
-For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
+For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP: SimpleAuth Web Service](/openspecs/windows_protocols/ms-wusp/61235469-6c2f-4c08-9749-e35d52c16899), [MS-WUSP: Client Web Service](/openspecs/windows_protocols/ms-wusp/69093c08-da97-445e-a944-af0bef36e4ec)):
 - System proxy is attempted (set using the `netsh` command).
-- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it's the logged-in user).
 
     > [!Note]
     > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
@@ -130,13 +121,13 @@ Common update failure is caused due to network issues. To find the root of the i
    > [!NOTE]
    > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. 
 
-- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured.
+- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can't scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it's locally configured.
    ![Windows Update scan log 3.](images/update-scan-log-3.png)
    
 ## Downloading updates 
 ![Windows Update download step.](images/update-download-step.png)
 
-Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.  
+Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.  
 
 To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption. 
  
diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
index fda5f5a881..24da4ab44e 100644
--- a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
@@ -32,7 +32,7 @@ A deployment audience is a collection of devices that you want to deploy updates
    ```
 
 
-1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device.
+1. Add devices, using their **Microsoft Entra ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Microsoft Entra ID** of the device.
 
    ```msgraph-interactive
    POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience 
diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
index 0ae067e62f..ed62f731f1 100644
--- a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
@@ -17,7 +17,7 @@ You enroll devices based on the types of updates you want them to receive. Curre
    1. Enter the following request into the URL field: </br>
     `https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets`
    1. In the **Request body** tab, enter the following JSON, supplying the following information:
-      - **Azure AD Device ID** as `id`
+      - **Microsoft Entra Device ID** as `id`
       - Either `feature` or `driver` for the updateCategory
 
       ```json
diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
index b2f438598f..336236ee43 100644
--- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
@@ -27,7 +27,7 @@ Use the [device](/graph/api/resources/device) resource type to find clients to e
 
 ### Add a request header for advanced queries
 
-For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries).
+For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Microsoft Entra directory objects](/graph/aad-advanced-queries).
 
 1. In Graph Explorer, select the **Request headers** tab.
 1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`.
@@ -49,6 +49,6 @@ For the next requests, set the **ConsistencyLevel** header to `eventual`. For mo
 
 > [!Tip]
 > Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`:
-> - The `deviceid` is the **Azure AD Device ID** and will be used in this article.
+> - The `deviceid` is the **Microsoft Entra Device ID** and will be used in this article.
 >    - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience.
-> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article.
+> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Microsoft Entra Object ID, which won't be used in this article.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index 3b19cd934d..8d869d1f69 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -17,7 +17,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G
 > - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium).
 > - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand  [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding.
 
-1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account.
+1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using a Microsoft Entra user account.
 1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission:
     1. Select the **Modify permissions** tab in Graph Explorer.
     1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
index f85f158a63..682134eb32 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
@@ -10,14 +10,14 @@ ms.localizationpriority: medium
 ---
 <!--This file is shared by deployment-service-drivers.md and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
 
-When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
+When a device no longer requires management, unenroll it from the deployment service. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
 
 - Existing driver deployments from the service won't be offered to the device
-- The device will continue to receive feature updates from the deployment service
+- The device continues to receive feature updates from the deployment service
 - Drivers may start being installed from Windows Update depending on the device's configuration
 
 To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify:
-- **Azure AD Device ID** as `id` for the device
+- **Microsoft Entra Device ID** as `id` for the device
 - Either `feature` or `driver` for the updateCategory
 
 The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`:
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 342b6d4210..da738e8991 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -11,17 +11,17 @@ ms.localizationpriority: medium
 <!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
 Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
 
-- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
+- [Microsoft Entra ID](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
 - [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
-- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in
 
 **Roles that can enroll into Windows Update for Business reports**
 
 To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
 
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
-- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
-- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Microsoft Entra role
+- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Microsoft Entra role
+- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Microsoft Entra role
 - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
   - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
 
@@ -43,4 +43,4 @@ Examples of commonly assigned roles for Windows Update for Business reports user
 | [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |  
 
 > [!NOTE]
-> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
+> The Microsoft Entra roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
index 1975275322..388592c36c 100644
--- a/windows/deployment/update/includes/wufb-reports-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -5,7 +5,7 @@ manager: aaroncz
 ms.technology: itpro-updates
 ms.prod: windows-client
 ms.topic: include
-ms.date: 04/06/2022
+ms.date: 08/21/2023
 ms.localizationpriority: medium
 ---
 <!--This file is shared by updates/wufb-reports-prerequisites.md and the update/update-compliance-configuration-manual.md articles. Headings are driven by article context.  -->
@@ -14,10 +14,11 @@ Devices must be able to contact the following endpoints in order to authenticate
 
 | **Endpoint**  | **Function**  |
 |---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
-| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
-| `https://adl.windows.com` | Required for Windows Update functionality. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
-| `https://oca.telemetry.microsoft.com`  | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
-| `https://login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
+| `*v10c.events.data.microsoft.com` </br> </br> `eu-v10c.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) <!--8141818--> | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
+| `umwatsonc.events.data.microsoft.com` </br> </br> `eu-watsonc.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
+| `v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
+| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
+| `adl.windows.com` | Required for Windows Update functionality. |
+| `oca.telemetry.microsoft.com`  | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
+| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
+| `*.blob.core.windows.net` | Azure blob data storage.|
\ No newline at end of file
diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
index a6ca5fedc8..479b5a9eff 100644
--- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@@ -44,6 +44,6 @@ ms.localizationpriority: medium
 | 66    | Failed to verify UTC connectivity and recent uploads.|  
 | 67    | Unexpected failure when verifying UTC CSP.|
 | 99    | Device isn't Windows 10 or Windows 11.|
-| 100   | Device must be Azure AD joined or hybrid Azure AD joined to use Windows Update for Business reports.|
-| 101   | Check Azure AD join failed with unexpected exception.|
+| 100   | Device must be Microsoft Entra joined or Microsoft Entra hybrid joined to use Windows Update for Business reports.|
+| 101   | Check Microsoft Entra join failed with unexpected exception.|
 | 102   | DisableOneSettingsDownloads policy shouldn't be enabled. Please disable this policy.|
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 2c7e5e39f8..e2f3ab0e3c 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,24 +1,22 @@
 ---
 title: Update Windows installation media with Dynamic Update
-description: Learn how to deploy feature updates to your mission critical devices
+description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 07/17/2023
 ms.reviewer: stevedia
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 07/17/2023
 ---
 
 # Update Windows installation media with Dynamic Update
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
 This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
 
 Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
diff --git a/windows/deployment/update/media/7991583-update-seeker-enabled.png b/windows/deployment/update/media/7991583-update-seeker-enabled.png
new file mode 100644
index 0000000000..34e0e5e413
Binary files /dev/null and b/windows/deployment/update/media/7991583-update-seeker-enabled.png differ
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index b088d43792..1245ce7f59 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -1,20 +1,21 @@
 ---
 title: Migrating and acquiring optional Windows content
-description: Keep language resources and Features on Demand during operating system updates
+description: How to keep language resources and Features on Demand during operating system updates for your organization.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 03/15/2023
 ---
 
 # Migrating and acquiring optional Windows content during updates
 
-***(Applies to: Windows 11 & Windows 10)***
-
 This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
 
 When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update). 
@@ -43,7 +44,7 @@ Windows Setup needs access to the optional content. Since optional content isn't
 
 ### User-initiated feature acquisition failure
 
-The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
+The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows acquires the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
 
 ## Options for acquiring optional content
 
@@ -77,7 +78,7 @@ Consider moving to Windows Update for Business. Not only will the optional conte
 
 Starting in March 2023, UUP has been integrated with WSUS and Configuration Manager to bring the same optional content and acquisition benefits of Windows Update to on-premises management solutions. For example:
 
-- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates will be included and current based on the month that the feature update was approved.
+- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates are included and current based on the month that the feature update was approved.
 
 - Devices that upgrade using a local Windows image but use WSUS or Configuration Manager for approving the combined cumulative update will benefit by having support for optional content acquisition in the updated Windows OS, as well as OS self-healing.
 
@@ -94,9 +95,9 @@ If you're not ready to move to Windows Update, another option is to enable Dynam
 - **Latest cumulative update**: Installs the latest cumulative quality update.
 - **Driver updates**: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
 
-In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+In addition to these updates for the new operating system, Dynamic Update acquires optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it fetches content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
 
-Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it wasn't available during the feature update.
+Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device reboots again for the latest cumulative update since it wasn't available during the feature update.
 
 One further consideration when using Dynamic Update is the effect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Setup downloads Dynamic Update content using Delivery Optimization when available. For devices that aren't connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
 
@@ -120,7 +121,7 @@ The benefit of this option is that the Windows image can include those additiona
 
 A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using `setupconfig.ini`. For more information, see [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview).
 
-When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
+When Setup runs, it injects these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cab files from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
 
 This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting. 
 
@@ -134,12 +135,12 @@ Several of the options address ways to address optional content migration issues
 
 - The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
 - This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
-- If this setting isn't configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
+- If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
 
 For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
 
 
-## Learn more
+## More resources
 
 For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
 
@@ -156,11 +157,11 @@ For more information about the Unified Update Platform and the approaches outlin
 
 ## Sample scripts
 
-Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so we'll look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
+Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so let's look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
 
 ### Creating an optional content repository
 
-To get started, we'll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We'll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository. 
+To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository. 
 
 
 
@@ -573,7 +574,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
 
 ### Saving optional content in the source operating system
 
-To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy.
+To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action limits the files to copy.
 
 
 ```powershell
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index cf56100362..3116459b20 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,26 +1,26 @@
 ---
 title: Define readiness criteria
-description: Identify important roles and figure out how to classify apps
+description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Define readiness criteria
 
-**Applies to**
-
--   Windows 10
--   Windows 11
+Planning and managing a deployment involves a variety of distinct activities and roles best suited to each activity. This article describes how to identify important roles and figure out how to classify apps.
 
 ## Figure out roles and personnel
 
-Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
+As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
 
 ### Process manager
 
@@ -50,13 +50,9 @@ This table sketches out one view of the other roles, with their responsibilities
 |Stakeholders     | Represent groups affected by updates, for example, heads of finance, end-user services, or change management        | Key decision maker for a business unit or department        | Plan, pilot deployment, broad deployment        |
 
 
-
-
-
-
 ## Set criteria for rating apps
 
-Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
+Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren't critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
 
 In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
 
@@ -78,7 +74,7 @@ Here's an example priority rating system; the specifics could vary for your orga
 |---------|---------|
 |1        | Any issues or risks identified must be investigated and resolved as soon as possible.        |
 |2     | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle.    |
-|3     | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle.        |
+|3     | Start investigating risks and issues within 10 business days. You don't have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle.        |
 |4     | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle.        |
 
 Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index bc225337f8..9f3f2e92b7 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -1,45 +1,43 @@
 ---
 title: Define update strategy
-description: Two examples of a calendar-based approach to consistent update installation
+description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Define update strategy with a calendar
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
 
-Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
+Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows release cycles, update mechanisms, and relevant tools to support this model. For more information about the Windows lifecycle, see [Windows lifecycle FAQ](/lifecycle/faq/windows).
 
-We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. So, you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
+We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. The lifecycle cadence lets you allow some portion of your environment to move faster while the majority can move less quickly.
 
 ## Calendar approaches
-You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they'll stop receiving the monthly security updates.
+You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they stop receiving the monthly security updates once a version is out of support.
 
-### Annual
-Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
+## Annual approach
+Here's a calendar showing an example schedule that applies one Windows feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
 
 [ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
 
-This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
+This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update. 
 
 This cadence might be most suitable for you if any of these conditions apply:
 
-- You're just starting your journey with the Windows 10 servicing process. If you're unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+- You're just starting your journey with the Windows servicing process. If you're unfamiliar with new processes that support Windows servicing, moving from a project happening once every three to five years to a feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
 
-- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
+- You want to wait and see how successful other companies are at adopting a Windows feature update.
 
-- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months).
+- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change. 
 
 
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index b25c48f947..735e5a3095 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -1,37 +1,35 @@
 ---
 title: Determine application readiness
-manager: aaroncz
-description: How to test your apps to know which need attention prior to deploying an update
+description: How to test your apps to identify which need attention prior to deploying an update in your organization.
 ms.prod: windows-client
-ms.localizationpriority: medium
-ms.topic: article
+ms.technology: itpro-updates
+ms.topic: conceptual
 ms.author: mstewart
 author: mestew
-ms.technology: itpro-updates
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Determine application readiness
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
 Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization.
 
 ## Validation methods
 
-You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment.
+You can choose from various methods to validate apps. Exactly which ones to use depends on the specifics of your environment.
 
 
 |Validation method  |Description  |
 |---------|---------|
-|Full regression     | A full quality assurance probing. Staff who know the application well and can validate its core functionality should do this.        |
-|Smoke testing     | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating.        |
-|Automated testing     |  Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically.    |
-|Test in pilot     | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types.        |
-|Reactive response     | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren’t handled by enterprise application distribution.        |
+|Full regression     | A full quality assurance probing. Staff that know the application well and can validate its core functionality should do this validation.        |
+|Smoke testing     | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they're validating.        |
+|Automated testing     |  Software performs tests automatically. The software lets you know whether the tests have passed or failed, and provides detailed reporting for you automatically.    |
+|Test in pilot     | You preselect users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types.        |
+|Reactive response     | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren't handled by enterprise application distribution.        |
 
 Combining the various validation methods with the app classifications you've previously established might look like this:
 
@@ -46,7 +44,7 @@ Combining the various validation methods with the app classifications you've pre
 
 ### Identify users
 
-Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include:
+Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you have to choose which users are best suited for validation testing. Some factors to consider include:
 
 - **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in?
 - **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work?
@@ -56,10 +54,10 @@ You could seek volunteers who enjoy working with new features and include them i
 
 ### Identify and set up devices for validation
 
-In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment.
+In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection includes devices representing all of the hardware models in your environment.
 
-There is more than one way to choose devices for app validation:
+There's more than one way to choose devices for app validation:
 
 - **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
-- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
+- **Manual selection**: Some internal groups like operations have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
 - **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index a6c241bac8..ad9ebeff3a 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -2,28 +2,26 @@
 title: Prepare to deploy Windows
 description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Prepare to deploy Windows
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
-Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase will have left you with these useful items:
+Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase left you with these useful items:
 
 - A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md)
 - A plan for [testing and validating](plan-determine-app-readiness.md) apps
 - An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness
-- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use 
+- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use
 
 Now you're ready to actually start making changes in your environment to get ready to deploy.
 
@@ -33,26 +31,26 @@ Now you're ready to actually start making changes in your environment to get rea
 - Update non-Microsoft security tools like security agents or servers.
 - Update non-Microsoft management tools like data loss prevention agents.
 
-Your infrastructure probably includes many different components and tools. You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
+Your infrastructure probably includes many different components and tools. You need to ensure your environment isn't affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
 
-1.	Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them.  This process prevents problems later on.
+1.	Review all of the infrastructure changes that you've identified in your plan. It's important to understand the changes that need to be made and to detail how to implement them.  This process prevents problems later on.
 
-2.	Validate your changes. You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment. 
+2.	Validate your changes. You validate the changes for your infrastructure's components and tools, to help you understand how your changes could affect your production environment. 
 
 3.	Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure.
 
 
-You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example:
+You should also look at your organization's environment's configuration and outline how you'll implement any necessary changes previously identified in the plan phase to support the update. Consider what you need to do for the various settings and policies that currently underpin the environment. For example:
 
-- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security-related configurations.
+- Implement new draft security guidance. New versions of Windows can include new features that improve your environment's security. Your security teams will want to make appropriate changes to security-related configurations.
 
 - Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.
 
-However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example:
+However, your configuration will consist of many different settings and policies. It's important to only apply changes where they're necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that slow down the update process. You want to ensure your environment isn't affected adversely because of changes you make. For example:
 
-1.	Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
+1.	Review new security settings. Your security team reviews the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
 
-2.	Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
+2.	Review security baselines for changes. Security teams also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
 
 3.	Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.
 
@@ -142,9 +140,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
 
 - Compact the operating system by running **Compact.exe /CompactOS:always**.
 
-- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
+- Remove Windows Features on Demand that the user doesn't need. For more information, see [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities).
 
-- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy) for more information.
+- Move Windows Known Folders to OneDrive. For more information, see [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy).
 
 - Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
 
@@ -167,9 +165,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
 
 ## Prepare capability
 
-In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities:
+In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You need to complete these higher-level tasks to gain those new capabilities:
 
-- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates. 
+- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions come with new policies that you use to update ADMX templates. 
 
 - Validate new changes to understand how they affect the wider environment.
 
@@ -177,12 +175,12 @@ In the plan phase, you determined the specific infrastructure and configuration
 
 ## Prepare users
 
-Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
+Users often feel like they're forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
 
-You can employ a variety of measures to achieve this goal, for example:
+You can employ various measures to achieve this goal, for example:
 
 - Send overview email about the update and how it will be deployed to the entire organization.
 - Send personalized emails to users about the update with specific details.
 - Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need.
-- Provide the ability to voluntarily update at users’ convenience.
+- Provide the ability to voluntarily update at users' convenience.
 - Inform users of a mandatory installation date when the update will be installed on all devices.
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 6061c9efab..bb6949ca8e 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,19 +1,21 @@
 ---
 title: Update release cycle for Windows clients
-description: Learn about the release cycle of updates for Windows clients to stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 05/19/2023
 ---
 
 # Update release cycle for Windows clients
 <!--7696511-->
-***(Applies to: Windows 11 & Windows 10)***
 
 Windows updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Updates for the Windows client OS are typically cumulative. They include all previously released fixes to guard against fragmentation of the operating system. Reliability and vulnerability issues can occur when only a subset of fixes is installed.
 
@@ -23,11 +25,11 @@ This article provides details on the types of updates that Microsoft provides, a
 
 |Release type | Description | Release cycle |
 |---|---|---|
-| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
-| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
+| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and nonsecurity content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
+| [Optional nonsecurity preview release](#optional-nonsecurity-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
 | [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
 | [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version | Once a year in the second half of the calendar year |
-| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
+| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional nonsecurity preview release then in the monthly security update releases |
 
 
 ## Monthly security update release
@@ -42,7 +44,7 @@ Most people are familiar with the **monthly security update release**. The **mon
 - Latest cumulative update (LCU)
 
 
-**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with non-security content introduced in the prior month's [**Optional non-security preview release**](#optional-non-security-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
+**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with nonsecurity content introduced in the prior month's [**Optional nonsecurity preview release**](#optional-nonsecurity-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
 
 Monthly security update releases are available through the following channels:
 
@@ -52,11 +54,11 @@ Monthly security update releases are available through the following channels:
 
 Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
 
-## Optional non-security preview release
+## Optional nonsecurity preview release
 
-**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **optional non-security preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
+**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
 
-**Optional non-security preview releases** might commonly be referred to as:
+**Optional nonsecurity preview releases** might commonly be referred to as:
 
 - C or D week releases (meaning the third or fourth week of the month)
 - Preview updates
@@ -64,9 +66,9 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
 - LCU preview
 
 > [!Important]
-> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
+> Starting in April 2023, all **optional nonsecurity preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
 
-To access the optional non-security preview release:
+To access the optional nonsecurity preview release:
 - Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. 
 - Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
 - Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
@@ -78,16 +80,16 @@ To access the optional non-security preview release:
 Some key considerations about OOB releases include: 
 
 - OOB releases are always cumulative. 
-  - OOB releases supersede any prior monthly security update and optional non-security preview release. 
+  - OOB releases supersede any prior monthly security update and optional nonsecurity preview release. 
 - OOB releases generally require IT admins to deploy off-cycle.  
 - Some OOB releases are classified as critical.
   - Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.  
-- Some OOB releases are classified as non-critical.
-  - Non-critical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
+- Some OOB releases are classified as noncritical.
+  - Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
 
 ## Continuous innovation for Windows 11
 
-Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
+Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional nonsecurity preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
 
 Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:
 
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 6535bc2084..86232917dd 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -1,31 +1,29 @@
 ---
-title: Safeguard holds
-description: What are safeguard holds, how can you tell if one is in effect, and what to do about it.
+title: Safeguard holds for Windows
+description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
 ms.collection:
   - highpri
   - tier2
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Safeguard holds
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe effect (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround isn't immediately available.
 
 Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
 
-The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
+The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update resumes offering new operating system versions to devices.
 
 Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
 
@@ -37,11 +35,11 @@ IT admins can use [Windows Update for Business reports](wufb-reports-overview.md
 
 Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find more details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
 
-On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
+On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users see a message.
 
 ![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
 
-This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we'll release the safeguard hold and the update can resume safely.
+This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we release the safeguard hold so the update can resume safely.
 
 ## What can I do?
 
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index 96b29c913a..30227f3553 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -1,38 +1,35 @@
 ---
 title: Opt out of safeguard holds
-description: Steps to install an update even it if has a safeguard hold applied
+description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it. 
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 10/21/2020
 ---
 
 # Opt out of safeguard holds
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
 Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows client feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
 
 ## How can I opt out of safeguard holds?
 
-IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update and in Windows 11. 
+IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running the following operating systems:
+- Windows 11 
+- Windows 10, version 1809, or later, with the October 2020 security update.
 
 > [!CAUTION]
 > Opting out of a safeguard hold can put devices at risk from known performance issues. 
 
 We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
 
-Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues. 
+Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues. 
 
 > [!NOTE]
-> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.  
-
-
-
+> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.  
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 30228a83de..fd0efc4571 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -2,29 +2,26 @@
 title: Servicing stack updates
 description: In this article, learn how servicing stack updates improve the code that installs the other updates.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: high
 ms.author: mstewart
 manager: aaroncz
 ms.collection:
   - highpri
   - tier2
-ms.topic: conceptual
-ms.technology: itpro-updates
+ms.localizationpriority: high
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server </a>
 ms.date: 12/31/2017
 ---
 
 # Servicing stack updates
 
-
-**Applies to**
-
--   Windows 10
--   Windows 11
--   Windows Server
-
 ## What is a servicing stack update?
-Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
 
 ## Why should servicing stack updates be installed and kept up to date?
   
@@ -34,8 +31,6 @@ Servicing stack updates improve the reliability of the update process to mitigat
 
 Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
 
->[!NOTE]
->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
 
 ## What's the difference between a servicing stack update and a cumulative update?
 
@@ -49,18 +44,18 @@ Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004
 
 Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
 
-Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
+Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
 
 ## Installation notes
 
 * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
-* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. 
+* Installing servicing stack update doesn't require restarting the device, so installation shouldn't be disruptive. 
 * Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
 * Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
-* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
+* Once a servicing stack update is installed, it can't be removed or uninstalled from the machine.
 
 ## Simplifying on-premises deployment of servicing stack updates
 
-With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
 
 
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 9173c21e30..b534f09c0c 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,35 +1,35 @@
 ---
-title: Update Baseline
-description: Use an update baseline to optimize user experience and meet monthly update goals
+title: Windows 10 Update Baseline
+description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Update Baseline
 
-**Applies to:** Windows 10
-
 > [!NOTE]
-> Update Baseline is not currently available for Windows 11.
+> Update Baseline isn't currently available for Windows 11.
 
 With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations. 
 
 ## Why is Update Baseline needed? 
 
-Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you are just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations. 
+Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations. 
 
 ## You can use Update Baseline to: 
 
 - Ensure that user and device configuration settings are compliant with the baseline. 
 - Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline. 
 
-Update Baseline doesn't affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices and when. 
+Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when. 
 
 ## Policies included in the Update Baseline 
 
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index d4302cecac..b7fa2d5094 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -1,23 +1,21 @@
 ---
-title: Policies for update compliance, activity, and user experience
-description: Explanation and recommendations for settings
+title: Policies for update compliance and user experience
+description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Policies for update compliance, activity, and user experience
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 Keeping devices up to date is the best way to keep them working smoothly and securely. 
 
 ## Deadlines for update compliance
@@ -30,7 +28,7 @@ deadline approaches, and then prioritize velocity as the deadline nears, while s
 Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709
 and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**.
 
-The older policies started enforcing deadlines once the device reached a “restart pending” state for
+The older policies started enforcing deadlines once the device reached a `restart pending` state for
 an update. The new policy starts the countdown for the update installation deadline from when the
 update is published plus any deferral. In addition, this policy includes a configurable grace period and the option
 to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic
@@ -42,7 +40,7 @@ We recommend you set deadlines as follows:
 
 Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded
 later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you
-do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you
+do **not** set any notification policies, because they're automatically configured with appropriate defaults. An exception is if you
 have kiosks or digital signage.
 
 While three days for quality updates and seven days for feature updates is our recommendation, you might decide
@@ -57,7 +55,7 @@ to a minimum of two days.
 ### Grace periods
 
 You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This
-is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not
+is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device won't
 be forced to update immediately when the user returns.
 
 We recommend you set the following:
@@ -79,15 +77,15 @@ automatic restart. To take advantage of this feature, ensure **ConfigureDeadline
 Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two
 of continuous activity, in order to successfully complete a system update. The device could have other
 physical circumstances that prevent successful installation of an update--for example, if a laptop is running low
-on battery power, or the user has shut down the device before active hours end and the device cannot comply
+on battery power, or the user has shut down the device before active hours end and the device can't comply
 with the deadline.
 
-You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period.
+You can use the settings in this section to ensure that devices are available to install updates during the update compliance period.
 
 ### Active hours
 
-"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of
-these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
+"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts occur outside of
+these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user's activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
 
 > [!IMPORTANT]
 > If you used the **Configure Active Hours** setting in previous versions of Windows 10, these
@@ -96,14 +94,12 @@ options must be **Disabled** in order to take advantage of intelligent active ho
 If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
 velocity:
 
-- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged
-in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we
-recommend setting the following polices to **Disabled**:
+- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
     - **Turn off auto-restart during active hours**
     - **No auto-restart with logged on users for scheduled automatic updates**
 
-    - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that
-updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings.
+    - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users receive notifications that
+updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user's ability to delay a restart outside of compliance deadline settings.
 
 - **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**:
     - [Update/RequireUpdateApproval](/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
@@ -113,8 +109,8 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
     - [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates)
     - [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
 
-- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
-- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service. 
+- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
+- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service. 
 
 > [!IMPORTANT]
 > Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@@ -127,11 +123,11 @@ recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in
 
 ### Power policies
 
-Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
+Devices must actually be available during nonactive hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
 
-To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
+To a user, a device is either on or off, but for Windows, there are states that allow an update to occur (active) and states that don't (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
 
-You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours.
+You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during nonactive hours.
 
 > [!NOTE]
 > One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode.
@@ -139,13 +135,12 @@ You can override the default settings and prevent users from changing them in or
 We recommend these power management settings:
 
 - Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system
-appears to be off but if an update is available, it can wake the device up in order to take an update. The
+appears to be off but if an update is available, it can wake up the device in order to take an update. The
 power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest
-power level before shutdown). When a device is not being used, the system will generally move to sleep
+power level before shutdown). When a device isn't being used, the system will generally move to sleep
 mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is
-too short and Windows does not have time to complete an update. Sleep mode is an important setting
-because the system can wake the system from sleep in order to start the update process, as long as there
-is enough power.
+too short and Windows doesn't have time to complete an update. Sleep mode is an important setting
+because the system can wake the system from sleep in order to start the update process, as long as there's enough power.
 
 Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode:
 - [Power/AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery)
@@ -156,15 +151,15 @@ sleep mode and the device has an opportunity to take an update:
 - [Power/SelectLidCloseActionOnBattery](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery)
 - [Power/SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin)
 
-- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up
-without user intervention, like pressing the power button. If a device is in this state, it cannot be updated
+- **Hibernate**. When a device is hibernating, power consumption is low and the system can't wake up
+without user intervention, like pressing the power button. If a device is in this state, it can't be updated
 unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep
-(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete.
+(S3) is plugged in, and a Windows update is available, a hibernate state is delayed until the update is complete.
 
 > [!NOTE]
 > This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates).
 
-The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
+The default timeout on devices that support traditional sleep is set to three hours. We recommend that you don't reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
 
 - [Power/HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery)
 - [Power/HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin)
@@ -177,7 +172,7 @@ Each release of Windows client can introduce new policies to make the experience
 > If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
 > using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface.
 
-As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
+As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
 
 > [!IMPORTANT] 
 > We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
@@ -192,11 +187,11 @@ As administrators, you have set up and expect certain behaviors, so we expressly
 
 The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict:
 - **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no
-deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature
+deferral) so that the feature update can complete and monthly security updates are offered again. Even if there's an urgent quality update that must be quickly deployed, it's best to use **Pause Feature
 Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update.
 - **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days.
 - **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
-- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
-- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
+- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
+- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
 
-There are additional policies are no longer supported or have been superseded.
+There are also additional policies are no longer supported or have been superseded.
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 1329d93a6b..840ea3d5a7 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -2,31 +2,28 @@
 title: Configure BranchCache for Windows client updates
 description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Configure BranchCache for Windows client updates
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. 
 
 - Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. 
 
-    >[!TIP]
-    >Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution. 
+    > [!TIP]
+    > Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution. 
 
 - In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. 
 
@@ -36,7 +33,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
 
 Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
 
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
 
 ## Configure servers for BranchCache
 
@@ -44,8 +41,8 @@ You can use WSUS and Configuration Manager with BranchCache in Distributed Cache
 
 For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).
 
-In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
+In addition to these steps, there's one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
 
->[!NOTE]
->Configuration Manager only supports Distributed Cache mode.
+> [!NOTE]
+> Configuration Manager only supports Distributed Cache mode.
 
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index c6c7a89a58..6af6c31910 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -6,22 +6,21 @@ ms.prod: windows-client
 author: mestew
 ms.localizationpriority: medium
 ms.author: mstewart
-ms.topic: article
+ms.topic: conceptual
 ms.technology: itpro-updates
-ms.date: 05/19/2023
+ms.collection:
+  - tier1
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
+ms.date: 08/22/2023
 ---
 
 # Configure Windows Update for Business
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-- Windows Server 2022
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 > [!NOTE]
@@ -162,7 +161,7 @@ In cases where the pause policy is first applied after the configured start date
 | MDM for Windows 10, version 1607 or later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
 | MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
 
-You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
+You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
 
 The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
 
@@ -210,6 +209,43 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
 | GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate  |
 | MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
 
+## Enable optional updates
+<!--7991583-->
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
+
+To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. 
+
+:::image type="content" source="media/7991583-update-seeker-enabled.png" alt-text="Screenshot of the Get the latest updates as soon as they're available option in the Windows updates page of Settings." lightbox="media/7991583-update-seeker-enabled.png":::
+
+The following options are available for the policy:
+
+- **Automatically receive optional updates (including CFRs)**:
+   - The latest optional nonsecurity updates and CFRs are automatically installed on the device. The quality update deferral period is applied to the installation of these updates.
+   - The **Get the latest updates as soon as they're available** option is selected and users can't change the setting.
+   - Devices will receive CFRs in early phases of the rollout.
+
+- **Automatically receive optional updates**:
+   - The latest optional nonsecurity updates are automatically installed on the device but CFRs aren't. The quality update deferral period is applied to the installation of these updates.
+   - The **Get the latest updates as soon as they're available** option isn't selected and users can't change the setting.
+
+- **Users can select which optional updates to receive**:
+   - Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
+     - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.  
+     - CFRs are offered to the device, but not necessarily in the early phases of the rollout.
+   - Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
+     - The device will receive CFRs in early phases of the rollout.
+     - Optional updates are automatically installed on the device.
+
+- **Not configured** (default):
+  - Optional updates aren't installed on the device and the **Get the latest updates as soon as they're available** option is disabled.
+
+**Policies to enable optional updates**
+
+| Policy | Sets registry key under HKLM\Software |
+| --- | --- |
+| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: </br>./Device/Vendor/MSFT/Policy/Config/Update/</br>**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+
 ## Enable features that are behind temporary enterprise feature control
 <!--6544872-->
 
@@ -221,8 +257,8 @@ The features that are behind temporary enterprise feature control will be enable
 
 | Policy | Sets registry key under HKLM\Software |
 | --- | --- |
-| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl  |
-| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
+| GPO for Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl  |
+| MDM for Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>./Device/Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
 
 
 ## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
@@ -233,6 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
 
 | GPO Key |	Key type | Value |
 | --- | --- | --- |
+| AllowOptionalContent</br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
 | AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
 | BranchReadinessLevel	| REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br></br> Other value or absent: Receive all applicable updates |
 | DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates</br>Other value or absent: Don't defer feature updates |
@@ -248,6 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
 
 | MDM Key | Key type | Value |
 | --- | --- | --- |
+| AllowOptionalContent </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
 | AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
 | BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build  </br>32: Systems take feature updates from General Availability Channel </br>Note: Other value or absent: Receive all applicable updates |
 | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
@@ -272,3 +310,4 @@ When a device running a newer version sees an update available on Windows Update
 | PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
 | PauseQualityUpdates | PauseQualityUpdatesStartTime |
 
+ 
\ No newline at end of file
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 007f114627..d94af9011d 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -2,23 +2,20 @@
 title: Integrate Windows Update for Business
 description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
 # Integrate Windows Update for Business with management solutions
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
@@ -28,8 +25,8 @@ You can integrate Windows Update for Business deployments with existing manageme
 
 For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS).  In a joint WSUS and Windows Update for Business setup:
 
-- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
-- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
+- Devices receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows won't follow your Windows Update for Business deferral policies
 
 ### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
 
@@ -37,9 +34,9 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
 
 - Device is configured to defer Windows quality updates using Windows Update for Business
 - Device is also configured to be managed by WSUS
-- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
+- Device isn't configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
 - Admin has opted to put updates to Office and other products on WSUS
-- Admin has also put 3rd party drivers on WSUS
+- Admin has also put third-party drivers on WSUS
 
 |Content|Metadata source|Payload source|Deferred?|
 |--- |--- |--- |--- |
@@ -70,12 +67,12 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
 **Configuration:**
 
 - Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS
-- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
+- Device is configured to **receive updates for other Microsoft products** along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
 - Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
 
-In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled. 
+In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS weren't enabled. 
 - In a non-WSUS case, these updates would be deferred just as any update to Windows would be.  
-- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.  
+- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies aren't applied.  
 
 |Content|Metadata source|Payload source|Deferred?|
 |--- |--- |--- |--- |
@@ -90,9 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo
 
 ## Integrate Windows Update for Business with Microsoft Configuration Manager
 
-For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices are visible in the Configuration Manager console, however they appear with a detection state of **Unknown**.
 
 :::image type="content" alt-text="Example of unknown devices." source="images/wufb-sccm.png" lightbox="images/wufb-sccm.png":::
 
-For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
+For more information, see [Integration with Windows Update for Business in Windows 10](/mem/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10).
 
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 93ab10c8bc..b1aee2ba14 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,33 +1,31 @@
 ---
-title: Deploy Windows client updates using Windows Server Update Services
+title: Deploy updates using Windows Server Update Services
 description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>	
 ms.date: 12/31/2017
 ---
 
 # Deploy Windows client updates using Windows Server Update Services (WSUS)
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but doesn't provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
 
-When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. 
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. 
 
 
 
@@ -46,7 +44,7 @@ To be able to use WSUS to manage and deploy Windows feature updates, you must us
 
 ## WSUS scalability
 
-To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720448(v=ws.10)).
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services).
  
 
 
@@ -68,19 +66,19 @@ When using WSUS to manage updates on Windows client devices, start by configurin
    >[!NOTE]
    >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
     
-4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**.
 
-5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+5. Right-click the **WSUS - Auto Updates and Intranet Update Service Location** GPO, and then select **Edit**.
 
 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
 
-7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+7. Right-click the **Configure Automatic Updates** setting, and then select **Edit**.
 
    ![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png)
     
 8. In the **Configure Automatic Updates** dialog box, select **Enable**.
 
-9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then select **OK**.
 
    ![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png)
    
@@ -88,7 +86,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
    > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
     
    > [!NOTE]
-   > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)). 
+   > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates). 
     
 10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**. 
 
@@ -117,13 +115,13 @@ You can use computer groups to target a subset of devices that have specific qua
 
 1. Open the WSUS Administration Console. 
 
-2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. 
+2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**. 
 
     ![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png)
     
-3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+3. Type **Ring 2 Pilot Business Users** for the name, and then select **Add**.
 
-4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you're finished, there should be three deployment ring groups.
 
 Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
 
@@ -143,15 +141,15 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
 
 1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
 
-    Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+    Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you'll likely have many computers here.
 
-2. Select both computers, right-click the selection, and then click **Change Membership**.
+2. Select both computers, right-click the selection, and then select **Change Membership**.
 
     ![Select Change Membership in the UI.](images/waas-wsus-fig8.png)
 
-3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then select **OK**.
 
-    Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+    Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you'll see both computers there.
 
 ### Search for multiple computers to add to groups
 
@@ -159,15 +157,15 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
 
 **To search for multiple computers**
 
-1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then select **Search**.
 
 2. In the search box, type **WIN10**.
 
-3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+3. In the search results, select the computers, right-click the selection, and then select **Change Membership**.
 
     ![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png)
     
-4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+4. Select the **Ring 3 Broad IT** deployment ring, and then select **OK**.
 
 You can now see these computers in the **Ring 3 Broad IT** computer group.
 
@@ -180,11 +178,11 @@ The WSUS Administration Console provides a friendly interface from which you can
 
 **To configure WSUS to allow client-side targeting from Group Policy**
 
-1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then select **Computers**.
 
      ![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png)
      
-2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then select **OK**.
 
     >[!NOTE]
     >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. 
@@ -194,23 +192,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 **To configure client-side targeting**
 
 >[!TIP]
->When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don't add computers to the incorrect rings.
 
 1. Open Group Policy Management Console (gpmc.msc).
 
 2. Expand Forest\Domains\\*Your_Domain*.
 
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+3. Right-click *Your_Domain*, and then select **Create a GPO in this domain, and Link it here**.
 
-4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+4. In the **New GPO** dialog box, type **WSUS - Client Targeting - Ring 4 Broad Business Users** for the name of the new GPO.
 
-5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+5. Right-click the **WSUS - Client Targeting - Ring 4 Broad Business Users** GPO, and then select **Edit**.
 
     ![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png)
     
 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
 
-7. Right-click **Enable client-side targeting**, and then click **Edit**.
+7. Right-click **Enable client-side targeting**, and then select **Edit**.
 
 8. In the **Enable client-side targeting** dialog box, select **Enable**.
 
@@ -223,23 +221,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 10. Close the Group Policy Management Editor.
 
-Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. 
+Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. 
 
 **To scope the GPO to a group**
 
-1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+1. In GPMC, select the **WSUS - Client Targeting - Ring 4 Broad Business Users** policy.
 
-2. Click the **Scope** tab.
+2. Select the **Scope** tab.
 
 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
 
     ![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png)
     
-The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. 
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring. 
 
 ## Automatically approve and deploy feature updates
 
-For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+For clients that should have their feature updates approved as soon as they're available, you can configure Automatic Approval rules in WSUS.
 
 >[!NOTE]
 >WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
@@ -250,32 +248,32 @@ This example uses Windows 10, but the process is the same for Windows 11.
 
 1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
 
-2. On the **Update Rules** tab, click **New Rule**.
+2. On the **Update Rules** tab, select **New Rule**.
 
 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
 
      ![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png)
      
-4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then select **OK**.
 
-5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+5. In the **Edit the properties area**, select the **any product** link. Clear all check boxes except **Windows 10**, and then select **OK**.
 
     Windows 10 is under All Products\Microsoft\Windows.
     
-6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+6. In the **Edit the properties** area, select the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then select **OK**.
 
 7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
 
-8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then select **OK**.
 
     ![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png)
     
-9. In the **Automatic Approvals** dialog box, click **OK**.
+9. In the **Automatic Approvals** dialog box, select **OK**.
 
     >[!NOTE]
-    >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+    >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you're using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
 
-Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+Now, whenever Windows client feature updates are published to WSUS, they'll automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
 
 > [!WARNING]
 > The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
@@ -291,17 +289,17 @@ To simplify the manual approval process, start by creating a software update vie
 
 **To approve and deploy feature updates manually**
 
-1.	 In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+1.	 In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, select **New Update View**.
 
 2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
 
-3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+3. Under **Step 2: Edit the properties**, select **any classification**. Clear all check boxes except **Upgrades**, and then select **OK**.
 
-4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+4. Under **Step 2: Edit the properties**, select **any product**. Clear all check boxes except **Windows 10**, and then select **OK**.
 
     Windows 10 is under All Products\Microsoft\Windows.
     
-5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then select **OK**.
 
      ![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png)
 
@@ -309,7 +307,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
 
-2. Right-click the feature update you want to deploy, and then click **Approve**.
+2. Right-click the feature update you want to deploy, and then select **Approve**.
 
       ![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)  
       
@@ -317,30 +315,17 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
       ![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png) 
       
-4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. 
+4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**. 
 
       ![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png) 
       
-5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+5. If the **Microsoft Software License Terms** dialog box opens, select **Accept**.
 
     If the deployment is successful, you should receive a successful progress report.
     
     ![A sample successful deployment.](images/waas-wsus-fig20.png) 
 
-6. In the **Approval Progress** dialog box, click **Close**.
-
-</br>
-
-## Steps to manage updates for Windows client
-
-|&nbsp; |&nbsp; |
-| --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows client updates using Windows Server Update Services (this topic)</br>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+6. In the **Approval Progress** dialog box, select **Close**.
 
 
 
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 0b7e01ecae..58343cf36e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -3,25 +3,21 @@ title: Windows Update for Business
 manager: aaroncz
 description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
 ms.prod: windows-client
-author: mestew
-ms.localizationpriority: medium
-ms.author: mstewart
 ms.topic: overview
+author: mestew
+ms.author: mstewart
 ms.collection:
   - highpri
   - tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
 # What is Windows Update for Business?
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
@@ -37,7 +33,7 @@ Specifically, Windows Update for Business lets you control update offerings and
 
 Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
 
-You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
 
 
 ### Manage deployment of Windows Updates 
@@ -62,10 +58,11 @@ You can control when updates are applied, for example by deferring when an updat
 ### Manage when updates are offered
 You can defer or pause the installation of updates for a set period of time.
 
-#### Enroll in pre-release updates
+#### Enroll in prerelease updates
 
-The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
+The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
 
+- Windows Insider Canary
 - Windows Insider Dev
 - Windows Insider Beta
 - Windows Insider Preview
@@ -81,7 +78,7 @@ A Windows Update for Business administrator can defer the installation of both f
 |---------|---------|
 |Feature updates     |  365 days       |
 |Quality updates     | 30 days        |
-|Non-deferrable     |   none      |
+|Nondeferrable     |   none      |
 
 <!--Example: Using deferrals to deploy in waves
       [Insert graphic with the deferrals set to different values showing a feature update rollout)--> 
@@ -107,7 +104,7 @@ For the best experience with Windows Update, follow these guidelines:
 
 ### Manage the end-user experience when receiving Windows Updates
 
-Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience. 
+Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience. 
 
 #### Recommended experience settings
 
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 2585696606..6f20706c2e 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -2,39 +2,36 @@
 title: Overview of Windows as a service
 description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: overview
+ms.localizationpriority: medium
 ms.collection:
   - highpri
   - tier2
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
 # Overview of Windows as a service
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 Windows as a service is a way to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. 
 
 ## Building
 
-Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
+Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn't work in today's rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. 
 
-In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible. 
+In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features are delivered to the [Windows Insider community](/windows-insider/business/register) as soon as possible, during the development cycle, through a process called *flighting*. Organizations can see exactly what Microsoft is developing and start their testing as soon as possible. 
 
 Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
 
-Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program. 
+Of course, Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program. 
 
 ## Deploying
 
@@ -43,13 +40,13 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
 
 ### Application compatibility
 
-Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. 
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing regularly to validate compatibility with new builds. 
 
 ## Servicing
 
 Traditional Windows servicing has included several release types: major revisions (for example, the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10 and Windows 11, there are two release types: feature updates that add new functionality and quality updates that provide security and reliability fixes. 
 
-Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that leverages servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md). 
+Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that uses servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md). 
 
 For information about each servicing tool, see [Servicing tools](#servicing-tools).
 
@@ -58,7 +55,7 @@ There are three servicing channels, each of which provides different levels of f
 
 There are currently three release channels for Windows clients:
 
-- The **General Availability Channel** receives feature updates as soon as they are available. 
+- The **General Availability Channel** receives feature updates as soon as they're available. 
 - The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
 - The **Windows Insider Program** provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update.
 
@@ -75,9 +72,9 @@ New features are packaged into feature updates that you can deploy using existin
 
 ### Quality updates
 
-Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn't, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
 
-Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
+Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month's update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
 
 ## Servicing channels 
 
@@ -88,9 +85,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
 
 ### General Availability Channel
 
-In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
+In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you'll be able to choose the timing at which it goes into broad deployment.
 
-When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel is available but not necessarily immediately mandatory, depending on the policy of the management system. For more information about servicing tools, see [Servicing tools](#servicing-tools).
 
 
 > [!NOTE]
@@ -102,7 +99,7 @@ When Microsoft officially releases a feature update, we make it available to any
 
 ### Long-term Servicing Channel
 
-Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don't need feature updates as frequently as other devices in the organization. It's more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
 
 > [!NOTE]
 >
@@ -113,12 +110,12 @@ Microsoft never publishes feature updates through Windows Update on devices that
 > [!NOTE]
 > LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows).
 
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in the Enterprise LTSC editions, even if you install by using sideloading.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading.
 
 
 ### Windows Insider
 
-For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
+For many IT pros, gaining visibility into feature updates early can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
 
 Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/business/register).
 
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 825676e789..f027e7d657 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -2,38 +2,35 @@
 title: Quick guide to Windows as a service (Windows 10)
 description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: high
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: high
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
 # Quick guide to Windows as a service
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-Here is a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
+Here's a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
 
 ## Definitions
 
 Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
 
 - **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
-- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
+- **Quality updates** deliver both security and nonsecurity fixes. They're typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they're important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
 - **Servicing channels** allow organizations to choose when to deploy new features. 
   - The **General Availability Channel** receives feature updates annually.
   - The **Long-Term Servicing Channel**, which is meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. 
 
-See [Overview of Windows as a service](waas-overview.md) for more information.
+For more information, see [Overview of Windows as a service](waas-overview.md).
 
 For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
 
@@ -41,15 +38,15 @@ For some interesting in-depth information about how cumulative updates work, see
 
 With each release in the General Availability Channel, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. 
 
-Windows 10 Enterprise LTSC are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
+Windows Enterprise LTSC versions are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
 
 For more information, see [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md).
 
 ## Staying up to date
 
-To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
 
-Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
+Extensive advanced testing isn't required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
 
 This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
 
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index e95825d0c0..18b0aa011f 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,36 +1,33 @@
 ---
 title: Manage device restarts after updates
-description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
+description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+ms.date: 10/10/2023
 ---
 
 # Manage device restarts after updates
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
-You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
 
 ## Schedule update installation
 
 In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
 
-To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
 
 **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
 
@@ -40,25 +37,25 @@ For a detailed description of these registry keys, see [Registry keys used to ma
 
 ## Delay automatic reboot
 
-When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
+When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
 
 - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
-- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
 
 > [!NOTE]
 > When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. 
 
-You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
+You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
 
 For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 ## Configure active hours
 
-*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
+*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
 
 By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
 
-Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
+Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
 
 Administrators can use multiple ways to set active hours for managed devices:
 
@@ -78,7 +75,7 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client
 
 ### Configuring active hours through Registry
 
-This method is not recommended, and should only be used when you can't use Group Policy or MDM.
+This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
 Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
 
 Configure active hours by setting a combination of the following registry values:
@@ -102,7 +99,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
 
 ## Limit restart delays
 
-After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
+After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
 
 ## Control restart notifications
 
@@ -120,15 +117,15 @@ Starting in Windows 11, version 22H2, **Apply only during active hours** was add
 
 To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
 
-### Auto-restart notifications
+### Auto restart notifications
 
-Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
+Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
 
 To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
 
 To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
 
-You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
+You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
 
 To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
 
@@ -141,20 +138,20 @@ To do so through Group Policy, go to **Computer Configuration\Administrative Tem
 
 To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
 
-### Scheduled auto-restart warnings
+### Scheduled auto restart warnings
 
-Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
 
-To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
+To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
 
-In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
+In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
 
 ### Engaged restart
 
-Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
 
 The following settings can be adjusted for engaged restart:
-* Period of time before auto-restart transitions to engaged restart.
+* Period of time before auto restart transitions to engaged restart.
 * The number of days that users can snooze engaged restart reminder notifications.
 * The number of days before a pending restart automatically executes outside of working hours.
 
@@ -164,17 +161,17 @@ In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-manage
 
 ## Group Policy settings for restart
 
-In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
 
 | Policy | Applies to Windows 10 | Notes |
 | --- | --- | --- |
-| Turn off auto-restart for updates during active hours | ![yes.](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
-| Always automatically restart at the scheduled time | ![yes.](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
-| Specify deadline before auto-restart for update installation | ![yes.](images/checkmark.png)  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
-| No auto-restart with logged on users for scheduled automatic updates installations | ![yes.](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
-| Re-prompt for restart with scheduled installations | ![no.](images/crossmark.png) |   |
-| Delay Restart for scheduled installations | ![no.](images/crossmark.png) |   |
-| Reschedule Automatic Updates scheduled installations | ![no.](images/crossmark.png) |   |
+| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
+| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
+| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
+| Re-prompt for restart with scheduled installations | No |   |
+| Delay Restart for scheduled installations | No |   |
+| Reschedule Automatic Updates scheduled installations | No |   |
 
 
 >[!NOTE]
@@ -190,8 +187,8 @@ The following tables list registry values that correspond to the Group Policy se
 
 | Registry key |	Key type | Value |
 | --- | --- | --- |
-| ActiveHoursEnd	| REG_DWORD | 0-23: set active hours to end at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
-| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursEnd	| REG_DWORD | 0-23: set active hours to end at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
 | SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
 
 **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
@@ -201,8 +198,8 @@ The following tables list registry values that correspond to the Group Policy se
 | AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at a scheduled time |
 | AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
 | AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates</br>3: automatically download and notify for installation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
-| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation  |
-| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on</br>1: don't reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation  |
+| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
 
 There are three different registry combinations for controlling restart behavior:
 
@@ -210,7 +207,7 @@ There are three different registry combinations for controlling restart behavior
 - To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
 - To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
 
-## Related articles
+## More resources
 
 - [Update Windows in the enterprise](index.md)
 - [Overview of Windows as a service](waas-overview.md)
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 82f1a7f953..894cb7361b 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,24 +1,20 @@
 ---
-title: Assign devices to servicing channels for Windows client updates
+title: Assign devices to servicing channels for updates
 description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
-# Assign devices to servicing channels for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+# Assign devices to servicing channels for Windows updates
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
@@ -29,12 +25,12 @@ The General Availability Channel is the default servicing channel for all Window
 
 | Edition | General Availability Channel | Long-Term Servicing Channel | Insider Program |
 | --- | --- | --- | --- |
-| Home | ![no.](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Pro | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Enterprise  | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Enterprise LTSC  | ![no.](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
-| Pro Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Education  | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Home | No | No | Yes |
+| Pro | Yes | No | Yes |
+| Enterprise  | Yes | No | Yes |
+| Enterprise LTSC  | No | Yes | No |
+| Pro Education | Yes | No | Yes |
+| Education  | Yes | No | Yes |
 
 
 >[!NOTE]
@@ -46,10 +42,10 @@ The General Availability Channel is the default servicing channel for all Window
 
 ## Enroll devices in the Windows Insider Program
 
-To get started with the Windows Insider Program for Business, follows these steps:
+To get started with the Windows Insider Program for Business, follow these steps:
 
-1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
-2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.
+1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Microsoft Entra account.
+2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Microsoft Entra domain in order to be able to register.
 3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
 4. For Windows devices, set policies to manage preview builds and their delivery:
 
@@ -74,4 +70,3 @@ To prevent devices in your organization from being enrolled in the Insider Progr
 >Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
 > * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
 > * MDM: **Update/ManagePreviewBuilds**
-
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 278ccbed60..31038c9fc0 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -2,40 +2,36 @@
 title: Prepare a servicing strategy for Windows client updates
 description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
 # Prepare a servicing strategy for Windows client updates
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-Here’s an example of what this process might look like:
+Here's an example of what this process might look like:
 
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
 - **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
-- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
+- **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
 - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). 
 
 
 Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
 
-1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test devices step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
-2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the “Recruit volunteers” step of the previous section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. 
-3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. 
+1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
+2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. 
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. 
 
 
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 0c088b2aee..b370409adb 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,23 +1,24 @@
 ---
 title: Manage additional Windows Update settings
-description: In this article, learn about additional settings to control the behavior of Windows Update.
+description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
 ms.prod: windows-client
-ms.localizationpriority: medium
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
 manager: aaroncz
-ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
-ms.technology: itpro-updates
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 04/25/2023
 ---
 
 # Manage additional Windows Update settings
 
-***(Applies to: Windows 11 & Windows 10)***
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
@@ -34,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
 | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
 | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-| |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
+| |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Microsoft Entra joined or registered <!--6286260-->|
 | | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update <!--7679187-->|
 
 
@@ -256,12 +257,12 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 
 ## Display organization name in Windows Update notifications
 <!--6286260-->
-When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
+When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
   
-The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) 
-- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
-- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+The organization name appears automatically for Windows 11 clients that are associated with Microsoft Entra ID in any of the following ways:
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) 
+- [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register)
+- [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
 
 To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
 
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index fbbb54d9b6..e65bab8900 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -2,23 +2,20 @@
 title: Configure Windows Update for Business by using CSPs and MDM
 description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 02/28/2023
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 10/10/2023
 ---
 
 # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 
@@ -42,7 +39,7 @@ You can control when updates are applied, for example by deferring when an updat
 
 Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
 
-To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
 
 Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
 
@@ -139,7 +136,8 @@ We recommend that you use set specific deadlines for feature and quality updates
 
 - [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
 - [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) 
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
 - [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
 
 These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
@@ -176,9 +174,9 @@ There are additional settings that affect the notifications.
 
 We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
 
-**0** (default) – Use the default Windows Update notifications<br/>
-**1** – Turn off all notifications, excluding restart warnings<br/>
-**2** – Turn off all notifications, including restart warnings
+**0** (default) - Use the default Windows Update notifications<br/>
+**1** - Turn off all notifications, excluding restart warnings<br/>
+**2** - Turn off all notifications, including restart warnings
 
 > [!NOTE]
 > Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 7d696f704d..372a36d6df 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,28 +1,28 @@
 ---
 title: Configure Windows Update for Business via Group Policy
-description: Walk through of how to configure Windows Update for Business settings using Group Policy.
+description: Walk through of how to configure Windows Update for Business settings using Group Policy to update devices.
 ms.prod: windows-client
+ms.technology: itpro-updates
+manager: aaroncz
+ms.topic: conceptual
 author: mestew
 ms.localizationpriority: medium
 ms.author: mstewart
 ms.collection:
   - highpri
   - tier2
-manager: aaroncz
-ms.topic: how-to
-ms.technology: itpro-updates
-ms.date: 02/28/2023
+appliesto:
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
+ms.date: 10/10/2023
 ---
 
 # Walkthrough: Use Group Policy to configure Windows Update for Business
 
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 ## Overview 
 
@@ -195,11 +195,42 @@ Still more options are available in **Computer Configuration > Administrative Te
 
 Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
  
-Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates**.
+Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to Pause updates**.
 When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
 
 If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.
 
+#### I want to enable optional updates
+<!--7991583-->
+(*Starting in Windows 11, version 22H2 or later*)
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
+
+To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](waas-configure-wufb.md#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. 
+
+The following options are available for the policy:
+
+- **Automatically receive optional updates (including CFRs)**:
+   - The latest optional nonsecurity updates and CFRs are automatically installed on the device. The quality update deferral period is applied to the installation of these updates.
+   - The **Get the latest updates as soon as they're available** option is selected and users can't change the setting.
+   - Devices will receive CFRs in early phases of the rollout.
+
+- **Automatically receive optional updates**:
+   - The latest optional nonsecurity updates are automatically installed on the device but CFRs aren't. The quality update deferral period is applied to the installation of these updates.
+   - The **Get the latest updates as soon as they're available** option isn't selected and users can't change the setting.
+
+- **Users can select which optional updates to receive**:
+   - Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
+     - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.  
+     - CFRs are offered to the device, but not necessarily in the early phases of the rollout.
+   - Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
+     - The device will receive CFRs in early phases of the rollout.
+     - Optional updates are automatically installed on the device.
+
+- **Not configured** (default):
+  - Optional updates aren't installed on the device and the **Get the latest updates as soon as they're available** option is disabled.
+
+
 #### I want to enable features introduced via servicing that are off by default
 <!--6544872-->
 (*Starting in Windows 11, version 22H2 or later*)
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index 2280794391..c37d7cc3d2 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -2,95 +2,92 @@
 title: Windows Update error code list by component
 description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 09/18/2018
-ms.topic: article
-ms.technology: itpro-updates
 ---
 
 # Windows Update error codes by component
 
-**Applies to**
-
--   Windows 10
--   Windows 11
-
-
 This section lists the error codes for Microsoft Windows Update. 
 
 ## Automatic Update Errors
 
 | Error code |            Message              |                                              Description                                               |
 |------------|---------------------------------|--------------------------------------------------------------------------------------------------------|
-| 0x80243FFF |  `WU_E_AUCLIENT_UNEXPECTED`     |          There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code.         |
-| 0x8024A000 |      `WU_E_AU_NOSERVICE`        |                      Automatic Updates was unable to service incoming requests.                        |
-| 0x8024A002 |   `WU_E_AU_NONLEGACYSERVER`     | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
-| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED`  |                      The old version of the Automatic Updates client was disabled.                     |
-| 0x8024A004 |       `WU_E_AU_PAUSED`          |            Automatic Updates was unable to process incoming requests because it was paused.            |
-| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` |                               No unmanaged service is registered with `AU`.                            |
-| 0x8024AFFF |      `WU_E_AU_UNEXPECTED`       |                   An Automatic Updates error not covered by another `WU_E_AU*` code.                   |
+| `0x80243FFF` |  `WU_E_AUCLIENT_UNEXPECTED`     |          There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code.         |
+| `0x8024A000` |      `WU_E_AU_NOSERVICE`        |                      Automatic Updates was unable to service incoming requests.                        |
+| `0x8024A002` |   `WU_E_AU_NONLEGACYSERVER`     | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
+| `0x8024A003` | `WU_E_AU_LEGACYCLIENTDISABLED`  |                      The old version of the Automatic Updates client was disabled.                     |
+| `0x8024A004` |       `WU_E_AU_PAUSED`          |            Automatic Updates was unable to process incoming requests because it was paused.            |
+| `0x8024A005` | `WU_E_AU_NO_REGISTERED_SERVICE` |                               No unmanaged service is registered with `AU`.                            |
+| `0x8024AFFF` |      `WU_E_AU_UNEXPECTED`       |                   An Automatic Updates error not covered by another `WU_E_AU*` code.                   |
 
 ## Windows Update UI errors
 
 | Error code |                  Message                    |                                                       Description                                                        |
 |------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation could not be read from the registry due to an unrecognized data format version. |
-| 0x80243002 |  `WU_E_INSTALLATION_RESULTS_INVALID_DATA`   |       The results of download and installation could not be read from the registry due to an invalid data format.        |
-| 0x80243003 |    `WU_E_INSTALLATION_RESULTS_NOT_FOUND`    |           The results of download and installation are not available; the operation may have failed to start.            |
-| 0x80243004 |           `WU_E_TRAYICON_FAILURE`           |                    A failure occurred when trying to create an icon in the taskbar notification area.                    |
-| 0x80243FFD |              `WU_E_NON_UI_MODE`             |                    Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed.                     |
-| 0x80243FFE |     `WU_E_WUCLTUI_UNSUPPORTED_VERSION`      |                                 Unsupported version of Windows Update client UI exported functions.                                  |
-| 0x80243FFF |          `WU_E_AUCLIENT_UNEXPECTED`         |                   There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code.                  |
-| 0x8024043D |          `WU_E_SERVICEPROP_NOTAVAIL`         |                   The requested service property is not available.                  |
+| `0x80243001` | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation couldn't be read from the registry due to an unrecognized data format version. |
+| `0x80243002` |  `WU_E_INSTALLATION_RESULTS_INVALID_DATA`   |       The results of download and installation couldn't be read from the registry due to an invalid data format.        |
+| `0x80243003` |    `WU_E_INSTALLATION_RESULTS_NOT_FOUND`    |           The results of download and installation aren't available; the operation may have failed to start.            |
+| `0x80243004` |           `WU_E_TRAYICON_FAILURE`           |                    A failure occurred when trying to create an icon in the taskbar notification area.                    |
+| `0x80243FFD` |              `WU_E_NON_UI_MODE`             |                    Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed.                     |
+| `0x80243FFE` |     `WU_E_WUCLTUI_UNSUPPORTED_VERSION`      |                                 Unsupported version of Windows Update client UI exported functions.                                  |
+| `0x80243FFF` |          `WU_E_AUCLIENT_UNEXPECTED`         |                   There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code.                  |
+| `0x8024043D` |          `WU_E_SERVICEPROP_NOTAVAIL`         |                   The requested service property isn't available.                  |
 
 ## Inventory errors
 
 | Error code |                  Message                   |                                  Description                                  |
 |------------|--------------------------------------------|-------------------------------------------------------------------------------|
-| 0x80249001 |        `WU_E_INVENTORY_PARSEFAILED`        |                       Parsing of the rule file failed.                        |
-| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` |          Failed to get the requested inventory type from the server.          |
-| 0x80249003 |    `WU_E_INVENTORY_RESULT_UPLOAD_FAILED`   |               Failed to upload inventory result to the server.                |
-| 0x80249004 |         `WU_E_INVENTORY_UNEXPECTED`        |        There was an inventory error not covered by another error code.        |
-| 0x80249005 |          `WU_E_INVENTORY_WMI_ERROR`        |  A WMI error occurred when enumerating the instances for a particular class.  |
+| `0x80249001` |        `WU_E_INVENTORY_PARSEFAILED`        |                       Parsing of the rule file failed.                        |
+| `0x80249002` | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` |          Failed to get the requested inventory type from the server.          |
+| `0x80249003` |    `WU_E_INVENTORY_RESULT_UPLOAD_FAILED`   |               Failed to upload inventory result to the server.                |
+| `0x80249004` |         `WU_E_INVENTORY_UNEXPECTED`        |        There was an inventory error not covered by another error code.        |
+| `0x80249005` |          `WU_E_INVENTORY_WMI_ERROR`        |  A WMI error occurred when enumerating the instances for a particular class.  |
 
 ## Expression evaluator errors
 
 | Error code |            Message              |                                                          Description                                                           |
 |------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024E001 |  `WU_E_EE_UNKNOWN_EXPRESSION`   |                An expression evaluator operation could not be completed because an expression was unrecognized.                |
-| 0x8024E002 |  `WU_E_EE_INVALID_EXPRESSION`   |                  An expression evaluator operation could not be completed because an expression was invalid.                   |
-| 0x8024E003 |   `WU_E_EE_MISSING_METADATA`    | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. |
-| 0x8024E004 |    `WU_E_EE_INVALID_VERSION`    |   An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.   |
-| 0x8024E005 |    `WU_E_EE_NOT_INITIALIZED`    |                                       The expression evaluator could not be initialized.                                       |
-| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` |                An expression evaluator operation could not be completed because there was an invalid attribute.                |
-| 0x8024E007 |     `WU_E_EE_CLUSTER_ERROR`     |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.   |
-| 0x8024EFFF |       `WU_E_EE_UNEXPECTED`      |                     There was an expression evaluator error not covered by another `WU_E_EE_*` error code.                     |
+| `0x8024E001` |  `WU_E_EE_UNKNOWN_EXPRESSION`   |                An expression evaluator operation couldn't be completed because an expression was unrecognized.                |
+| `0x8024E002` |  `WU_E_EE_INVALID_EXPRESSION`   |                  An expression evaluator operation couldn't be completed because an expression was invalid.                   |
+| `0x8024E003` |   `WU_E_EE_MISSING_METADATA`    | An expression evaluator operation couldn't be completed because an expression contains an incorrect number of metadata nodes. |
+| `0x8024E004` |    `WU_E_EE_INVALID_VERSION`    |   An expression evaluator operation couldn't be completed because the version of the serialized expression data is invalid.   |
+| `0x8024E005` |    `WU_E_EE_NOT_INITIALIZED`    |                                       The expression evaluator couldn't be initialized.                                       |
+| `0x8024E006` | `WU_E_EE_INVALID_ATTRIBUTEDATA` |                An expression evaluator operation couldn't be completed because there was an invalid attribute.                |
+| `0x8024E007` |     `WU_E_EE_CLUSTER_ERROR`     |  An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined.   |
+| `0x8024EFFF` |       `WU_E_EE_UNEXPECTED`      |                     There was an expression evaluator error not covered by another `WU_E_EE_*` error code.                     |
  
 ## Reporter errors
 
 | Error code |                 Message                   |                                                     Description                                                      |
 |------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
-| 0x80247001 |        `WU_E_OL_INVALID_SCANFILE`         |                      An operation could not be completed because the scan package was invalid.                       |
-| 0x80247002 |       `WU_E_OL_NEWCLIENT_REQUIRED`        | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. |
-| 0x80247FFF |           `WU_E_OL_UNEXPECTED`            |                                        Search using the scan package failed.                                         |
-| 0x8024F001 |     `WU_E_REPORTER_EVENTCACHECORRUPT`     |                                         The event cache file was defective.                                          |
-| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` |                            The XML in the event namespace descriptor could not be parsed.                            |
-| 0x8024F003 |           `WU_E_INVALID_EVENT`            |                            The XML in the event namespace descriptor could not be parsed.                            |
-| 0x8024F004 |            `WU_E_SERVER_BUSY`             |                            The server rejected an event because the server was too busy.                             |
-| 0x8024FFFF |         `WU_E_REPORTER_UNEXPECTED`        |                            There was a reporter error not covered by another error code.                             |
+| `0x80247001` |        `WU_E_OL_INVALID_SCANFILE`         |                      An operation couldn't be completed because the scan package was invalid.                       |
+| `0x80247002` |       `WU_E_OL_NEWCLIENT_REQUIRED`        | An operation couldn't be completed because the scan package requires a greater version of the Windows Update Agent. |
+| `0x80247FFF` |           `WU_E_OL_UNEXPECTED`            |                                        Search using the scan package failed.                                         |
+| `0x8024F001` |     `WU_E_REPORTER_EVENTCACHECORRUPT`     |                                         The event cache file was defective.                                          |
+| `0x8024F002` | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` |                            The XML in the event namespace descriptor couldn't be parsed.                            |
+| `0x8024F003` |           `WU_E_INVALID_EVENT`            |                            The XML in the event namespace descriptor couldn't be parsed.                            |
+| `0x8024F004` |            `WU_E_SERVER_BUSY`             |                            The server rejected an event because the server was too busy.                             |
+| `0x8024FFFF` |         `WU_E_REPORTER_UNEXPECTED`        |                            There was a reporter error not covered by another error code.                             |
 
 ## Redirector errors
 The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors. 
 
 | Error code |      Message                 | Description                                                                              |
 |----------- |------------------------------|------------------------------------------------------------------------------------------|
-| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML`   | The redirector XML document could not be loaded into the DOM class.                      |
-| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE`    | The redirector XML document is missing some required information.                        |
-| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab.        |
-| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
+| `0x80245001` | `WU_E_REDIRECTOR_LOAD_XML`   | The redirector XML document couldn't be loaded into the DOM class.                      |
+| `0x80245002` | `WU_E_REDIRECTOR_S_FALSE`    | The redirector XML document is missing some required information.                        |
+| `0x80245003` | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab.        |
+| `0x80245FFF` | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
 
 ## Protocol Talker errors
 The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method.  
@@ -98,271 +95,271 @@ The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. Th
 
 | Error code |             Message              |                                                              Description                                                              |
 |------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80244000 |    `WU_E_PT_SOAPCLIENT_BASE`     |                      `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library.                 |
-| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE`  | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
-| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` |                         Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory.                         |
-| 0x80244003 |  `WU_E_PT_SOAPCLIENT_GENERATE`   |                           Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request.                         |
-| 0x80244004 |   `WU_E_PT_SOAPCLIENT_CONNECT`   |                          Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server.                          |
-| 0x80244005 |    `WU_E_PT_SOAPCLIENT_SEND`     |          Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes.        |
-| 0x80244006 |   `WU_E_PT_SOAPCLIENT_SERVER`    |                       Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error.                      |
-| 0x80244007 |  `WU_E_PT_SOAPCLIENT_SOAPFAULT`  |    Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes.  |
-| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT`  |                           Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault.                       |
-| 0x80244009 |    `WU_E_PT_SOAPCLIENT_READ`     |                   Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server.                  |
-| 0x8024400A |    `WU_E_PT_SOAPCLIENT_PARSE`    |                     Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server.                    |
+| `0x80244000` |    `WU_E_PT_SOAPCLIENT_BASE`     |                      `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library.                 |
+| `0x80244001` | `WU_E_PT_SOAPCLIENT_INITIALIZE`  | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
+| `0x80244002` | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` |                         Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory.                         |
+| `0x80244003` |  `WU_E_PT_SOAPCLIENT_GENERATE`   |                           Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request.                         |
+| `0x80244004` |   `WU_E_PT_SOAPCLIENT_CONNECT`   |                          Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server.                          |
+| `0x80244005` |    `WU_E_PT_SOAPCLIENT_SEND`     |          Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes.        |
+| `0x80244006` |   `WU_E_PT_SOAPCLIENT_SERVER`    |                       Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error.                      |
+| `0x80244007` |  `WU_E_PT_SOAPCLIENT_SOAPFAULT`  |    Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes.  |
+| `0x80244008` | `WU_E_PT_SOAPCLIENT_PARSEFAULT`  |                           Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault.                       |
+| `0x80244009` |    `WU_E_PT_SOAPCLIENT_READ`     |                   Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server.                  |
+| `x8024400A` |    `WU_E_PT_SOAPCLIENT_PARSE`    |                     Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server.                    |
 
 ## Other Protocol Talker errors
-The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`. 
 
+The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
 
-| Error code |                   Message                    |                                                                                   Description                                                                                    |
-|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024400B |            `WU_E_PT_SOAP_VERSION`            |                                    Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope.                                  |
-| 0x8024400C |        `WU_E_PT_SOAP_MUST_UNDERSTAND`        |                                               Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header.                                                |
-| 0x8024400D |            `WU_E_PT_SOAP_CLIENT`             |                                            Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending.                                        |
-| 0x8024400E |            `WU_E_PT_SOAP_SERVER`             |                                       Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later.                                   |
-| 0x8024400F |             `WU_E_PT_WMI_ERROR`              |                                                     There was an unspecified Windows Management Instrumentation (WMI) error.                                                     |
-| 0x80244010 |     `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS`      |                                                       The number of round trips to the server exceeded the maximum limit.                                                        |
-| 0x80244011 |         `WU_E_PT_SUS_SERVER_NOT_SET`         |                                                                WUServer policy value is missing in the registry.                                                                 |
-| 0x80244012 |       `WU_E_PT_DOUBLE_INITIALIZATION`        |                                                        Initialization failed because the object was already initialized.                                                         |
-| 0x80244013 |       `WU_E_PT_INVALID_COMPUTER_NAME`        |                                                                    The computer name could not be determined.                                                                    |
-| 0x80244015 |       `WU_E_PT_REFRESH_CACHE_REQUIRED`       |                   The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.                  |
-| 0x80244016 |      `WU_E_PT_HTTP_STATUS_BAD_REQUEST`       |                                            Same as HTTP status 400 - the server could not process the request due to invalid syntax.                                             |
-| 0x80244017 |         `WU_E_PT_HTTP_STATUS_DENIED`         |                                                  Same as HTTP status 401 - the requested resource requires user authentication.                                                  |
-| 0x80244018 |       `WU_E_PT_HTTP_STATUS_FORBIDDEN`        |                                                Same as HTTP status 403 - server understood the request but declined to fulfill it.                                               |
-| 0x80244019 |       `WU_E_PT_HTTP_STATUS_NOT_FOUND`        |                                        Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).                                         |
-| 0x8024401A |       `WU_E_PT_HTTP_STATUS_BAD_METHOD`       |                                                            Same as HTTP status 405 - the HTTP method is not allowed.                                                             |
-| 0x8024401B |     `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ`     |                                                           Same as HTTP status 407 - proxy authentication is required.                                                            |
-| 0x8024401C |    `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT`     |                                                     Same as HTTP status 408 - the server timed out waiting for the request.                                                      |
-| 0x8024401D |        `WU_E_PT_HTTP_STATUS_CONFLICT`        |                                Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.                                 |
-| 0x8024401E |          `WU_E_PT_HTTP_STATUS_GONE`          |                                                Same as HTTP status 410 - requested resource is no longer available at the server.                                                |
-| 0x8024401F |      `WU_E_PT_HTTP_STATUS_SERVER_ERROR`      |                                           Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.                                            |
-| 0x80244020 |     `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED`      |                                       Same as HTTP status 500 - server does not support the functionality required to fulfill the request.                                       |
-| 0x80244021 |      `WU_E_PT_HTTP_STATUS_BAD_GATEWAY`       | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
-| 0x80244022 |    `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL`     |                                                         Same as HTTP status 503 - the service is temporarily overloaded.                                                         |
-| 0x80244023 |    `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT`     |                                                    Same as HTTP status 503 - the request was timed out waiting for a gateway.                                                    |
-| 0x80244024 |    `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP`     |                                      Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.                                       |
-| 0x80244025 |       `WU_E_PT_FILE_LOCATIONS_CHANGED`       |                                                Operation failed due to a changed file location; refresh internal state and resend.                                               |
-| 0x80244026 |     `WU_E_PT_REGISTRATION_NOT_SUPPORTED`     |                                       Operation failed because Windows Update Agent does not support registration with a non-WSUS server.                                        |
-| 0x80244027 |     `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED`      |                                                          The server returned an empty authentication information list.                                                           |
-| 0x80244028 |      `WU_E_PT_NO_AUTH_COOKIES_CREATED`       |                                                   Windows Update Agent was unable to create any valid authentication cookies.                                                    |
-| 0x80244029 |        `WU_E_PT_INVALID_CONFIG_PROP`         |                                                                    A configuration property value was wrong.                                                                     |
-| 0x8024402A |        `WU_E_PT_CONFIG_PROP_MISSING`         |                                                                   A configuration property value was missing.                                                                    |
-| 0x8024402B |       `WU_E_PT_HTTP_STATUS_NOT_MAPPED`       |                               The HTTP request could not be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes.                              |
-| 0x8024402C |     `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED`      |                                       Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.                                       |
-| 0x8024402F |     `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS`      |                                                             External cab file processing completed with some errors.                                                             |
-| 0x80244030 |          `WU_E_PT_ECP_INIT_FAILED`           |                                                           The external cab processor initialization did not complete.                                                            |
-| 0x80244031 |      `WU_E_PT_ECP_INVALID_FILE_FORMAT`       |                                                                    The format of a metadata file was invalid.                                                                    |
-| 0x80244032 |        `WU_E_PT_ECP_INVALID_METADATA`        |                                                                  External cab processor found invalid metadata.                                                                  |
-| 0x80244033 |   `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST`    |                                                        The file digest could not be extracted from an external cab file.                                                         |
-| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` |                                                                 An external cab file could not be decompressed.                                                                  |
-| 0x80244035 |      `WU_E_PT_ECP_FILE_LOCATION_ERROR`       |                                                             External cab processor was unable to get file locations.                                                             |
-| 0x80244FFF |             `WU_E_PT_UNEXPECTED`             |                                                       A communication error not covered by another `WU_E_PT_*` error code.                                                       |
-| 0x8024502D |           `WU_E_PT_SAME_REDIR_ID`            |                       Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.                       |
-| 0x8024502E |         `WU_E_PT_NO_MANAGED_RECOVER`         |                                                   A redirector recovery action did not complete because the server is managed.                                                   |
+| Error code |             Message              |                                                              Description                                                              |
+|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| `0x8024400B` |            `WU_E_PT_SOAP_VERSION`            |                                    Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope.                                  |
+| `0x8024400C` |        `WU_E_PT_SOAP_MUST_UNDERSTAND`        |                                               Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header.                                                |
+| `0x8024400D` |            `WU_E_PT_SOAP_CLIENT`             |                                            Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending.                                        |
+|`0x8024400E` |            `WU_E_PT_SOAP_SERVER`             |                                       Same as `SOAP_E_SERVER` - The `SOAP` message couldn't be processed due to a server error; resend later.                                   |
+| `0x8024400F` |             `WU_E_PT_WMI_ERROR`              |                                                     There was an unspecified Windows Management Instrumentation (WMI) error.                                                     |
+| `0x80244010` |     `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS`      |                                                       The number of round trips to the server exceeded the maximum limit.                                                        |
+| `0x80244011` |         `WU_E_PT_SUS_SERVER_NOT_SET`         |                                                                WUServer policy value is missing in the registry.                                                                 |
+| `0x80244012` |       `WU_E_PT_DOUBLE_INITIALIZATION`        |                                                        Initialization failed because the object was already initialized.                                                         |
+| `0x80244013` |       `WU_E_PT_INVALID_COMPUTER_NAME`        |                                                                    The computer name couldn't be determined.                                                                    |
+| `0x80244015` |       `WU_E_PT_REFRESH_CACHE_REQUIRED`       |                   The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.                  |
+| `0x80244016` |      `WU_E_PT_HTTP_STATUS_BAD_REQUEST`       |                                            Same as HTTP status 400 - the server couldn't process the request due to invalid syntax.                                             |
+| `0x80244017` |         `WU_E_PT_HTTP_STATUS_DENIED`         |                                                  Same as HTTP status 401 - the requested resource requires user authentication.                                                  |
+| `0x80244018` |       `WU_E_PT_HTTP_STATUS_FORBIDDEN`        |                                                Same as HTTP status 403 - server understood the request but declined to fulfill it.                                               |
+| `0x80244019` |       `WU_E_PT_HTTP_STATUS_NOT_FOUND`        |                                        Same as HTTP status 404 - the server can't find the requested URI (Uniform Resource Identifier).                                         |
+| `0x8024401A` |       `WU_E_PT_HTTP_STATUS_BAD_METHOD`       |                                                            Same as HTTP status 405 - the HTTP method isn't allowed.                                                             |
+| `0x8024401B` |     `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ`     |                                                           Same as HTTP status 407 - proxy authentication is required.                                                            |
+| `0x8024401C` |    `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT`     |                                                     Same as HTTP status 408 - the server timed out waiting for the request.                                                      |
+| `0x8024401D` |        `WU_E_PT_HTTP_STATUS_CONFLICT`        |                                Same as HTTP status 409 - the request wasn't completed due to a conflict with the current state of the resource.                                 |
+| `0x8024401E` |          `WU_E_PT_HTTP_STATUS_GONE`          |                                                Same as HTTP status 410 - requested resource is no longer available at the server.                                                |
+| `0x8024401F` |      `WU_E_PT_HTTP_STATUS_SERVER_ERROR`      |                                           Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.                                            |
+| `0x80244020` |     `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED`      |                                       Same as HTTP status 500 - server doesn't support the functionality required to fulfill the request.                                       |
+|`0x80244021` |      `WU_E_PT_HTTP_STATUS_BAD_GATEWAY`       | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
+| `0x80244022` |    `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL`     |                                                         Same as HTTP status 503 - the service is temporarily overloaded.                                                         |
+| `0x80244023` |    `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT`     |                                                    Same as HTTP status 503 - the request was timed out waiting for a gateway.                                                    |
+| `0x80244024` |    `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP`     |                                      Same as HTTP status 505 - the server doesn't support the HTTP protocol version used for the request.                                       |
+| `0x80244025` |       `WU_E_PT_FILE_LOCATIONS_CHANGED`       |                                                Operation failed due to a changed file location; refresh internal state and resend.                                               |
+| `0x80244026` |     `WU_E_PT_REGISTRATION_NOT_SUPPORTED`     |                                       Operation failed because Windows Update Agent doesn't support registration with a non-WSUS server.                                        |
+| `0x80244027` |     `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED`      |                                                          The server returned an empty authentication information list.                                                           |
+| `0x80244028` |      `WU_E_PT_NO_AUTH_COOKIES_CREATED`       |                                                   Windows Update Agent was unable to create any valid authentication cookies.                                                    |
+| `0x80244029` |        `WU_E_PT_INVALID_CONFIG_PROP`         |                                                                    A configuration property value was wrong.                                                                     |
+| `0x8024402A` |        `WU_E_PT_CONFIG_PROP_MISSING`         |                                                                   A configuration property value was missing.                                                                    |
+| `0x8024402B` |       `WU_E_PT_HTTP_STATUS_NOT_MAPPED`       |                               The HTTP request couldn't be completed and the reason didn't correspond to any of the `WU_E_PT_HTTP_*` error codes.                              |
+| `0x8024402C` |     `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED`      |                                       Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name can't be resolved.                                       |
+| `0x8024402F` |     `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS`      |                                                             External cab file processing completed with some errors.                                                             |
+| `0x80244030` |          `WU_E_PT_ECP_INIT_FAILED`           |                                                           The external cab processor initialization didn't complete.                                                            |
+| `0x80244031` |      `WU_E_PT_ECP_INVALID_FILE_FORMAT`       |                                                                    The format of a metadata file was invalid.                                                                    |
+| `0x80244032` |        `WU_E_PT_ECP_INVALID_METADATA`        |                                                                  External cab processor found invalid metadata.                                                                  |
+| `0x80244033` |   `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST`    |                                                        The file digest couldn't be extracted from an external cab file.                                                         |
+| `0x80244034` | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` |                                                                 An external cab file couldn't be decompressed.                                                                  |
+| `0x80244035` |      `WU_E_PT_ECP_FILE_LOCATION_ERROR`       |                                                             External cab processor was unable to get file locations.                                                             |
+| `0x80244FFF` |             `WU_E_PT_UNEXPECTED`             |                                                       A communication error not covered by another `WU_E_PT_*` error code.                                                       |
+| `0x8024502D` |           `WU_E_PT_SAME_REDIR_ID`            |                       Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.                       |
+| `0x8024502E` |         `WU_E_PT_NO_MANAGED_RECOVER`         |                                                   A redirector recovery action didn't complete because the server is managed.                                                   |
 
 ## Download Manager errors
 
 | Error code |             Message               |                                                                Description                                                                 |
 |------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80246001 |     `WU_E_DM_URLNOTAVAILABLE`     |                    A download manager operation could not be completed because the requested file does not have a URL.                     |
-| 0x80246002 |    `WU_E_DM_INCORRECTFILEHASH`    |                      A download manager operation could not be completed because the file digest was not recognized.                       |
-| 0x80246003 |    `WU_E_DM_UNKNOWNALGORITHM`     |          A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.           |
-| 0x80246004 |   `WU_E_DM_NEEDDOWNLOADREQUEST`   |                   An operation could not be completed because a download request is required from the download handler.                    |
-| 0x80246005 |        `WU_E_DM_NONETWORK`        |                    A download manager operation could not be completed because the network connection was unavailable.                     |
-| 0x80246006 |    `WU_E_DM_WRONGBITSVERSION`     | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
-| 0x80246007 |      `WU_E_DM_NOTDOWNLOADED`      |                                                    The update has not been downloaded.                                                     |
-| 0x80246008 |   `WU_E_DM_FAILTOCONNECTTOBITS`   | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
-| 0x80246009 |   `WU_E_DM_BITSTRANSFERERROR`     |    A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.     |
-| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` |                        A download must be restarted because the location of the source of the download has changed.                        |
-| 0x8024600B |     `WU_E_DM_CONTENTCHANGED`      |                            A download must be restarted because the update content changed in a new revision.                              |
-| 0x80246FFF |       `WU_E_DM_UNEXPECTED`        |                             There was a download manager error not covered by another `WU_E_DM_*` error code.                              |
+| `0x80246001` |     `WU_E_DM_URLNOTAVAILABLE`     |                    A download manager operation couldn't be completed because the requested file doesn't have a URL.                     |
+| `0x80246002` |    `WU_E_DM_INCORRECTFILEHASH`    |                      A download manager operation couldn't be completed because the file digest wasn't recognized.                       |
+| `0x80246003` |    `WU_E_DM_UNKNOWNALGORITHM`     |          A download manager operation couldn't be completed because the file metadata requested an unrecognized hash algorithm.           |
+| `0x80246004` |   `WU_E_DM_NEEDDOWNLOADREQUEST`   |                   An operation couldn't be completed because a download request is required from the download handler.                    |
+| `0x80246005` |        `WU_E_DM_NONETWORK`        |                    A download manager operation couldn't be completed because the network connection was unavailable.                     |
+| `0x80246006` |    `WU_E_DM_WRONGBITSVERSION`     | A download manager operation couldn't be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
+| `0x80246007` |      `WU_E_DM_NOTDOWNLOADED`      |                                                    The update hasn't been downloaded.                                                     |
+| `0x80246008` |   `WU_E_DM_FAILTOCONNECTTOBITS`   | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
+| `0x80246009` |   `WU_E_DM_BITSTRANSFERERROR`     |    A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.     |
+| `0x8024600A` | `WU_E_DM_DOWNLOADLOCATIONCHANGED` |                        A download must be restarted because the location of the source of the download has changed.                        |
+| `0x8024600B` |     `WU_E_DM_CONTENTCHANGED`      |                            A download must be restarted because the update content changed in a new revision.                              |
+| `0x80246FFF` |       `WU_E_DM_UNEXPECTED`        |                             There was a download manager error not covered by another `WU_E_DM_*` error code.                              |
 
 ## Update Handler errors
 
 | Error code |                Message                 |                                                                 Description                                                                 |
 |------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80242000 |      `WU_E_UH_REMOTEUNAVAILABLE`       |                     A request for a remote update handler could not be completed because no remote process is available.                    |
-| 0x80242001 |          `WU_E_UH_LOCALONLY`           |                       A request for a remote update handler could not be completed because the handler is local only.                       |
-| 0x80242002 |        `WU_E_UH_UNKNOWNHANDLER`        |                     A request for an update handler could not be completed because the handler could not be recognized.                     |
-| 0x80242003 |     `WU_E_UH_REMOTEALREADYACTIVE`      |                                  A remote update handler could not be created because one already exists.                                   |
-| 0x80242004 |     `WU_E_UH_DOESNOTSUPPORTACTION`     |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). |
-| 0x80242005 |         `WU_E_UH_WRONGHANDLER`         |                                   An operation did not complete because the wrong handler was specified.                                    |
-| 0x80242006 |       `WU_E_UH_INVALIDMETADATA`        |                          A handler operation could not be completed because the update contains invalid metadata.                           |
-| 0x80242007 |        `WU_E_UH_INSTALLERHUNG`         |                             An operation could not be completed because the installer exceeded the time limit.                              |
-| 0x80242008 |      `WU_E_UH_OPERATIONCANCELLED`      |                                        An operation being done by the update handler was canceled.                                          |
-| 0x80242009 |        `WU_E_UH_BADHANDLERXML`         |                            An operation could not be completed because the handler-specific metadata is invalid.                            |
-| 0x8024200A |       `WU_E_UH_CANREQUIREINPUT`        |                A request to the handler to install an update could not be completed because the update requires user input.                 |
-| 0x8024200B |       `WU_E_UH_INSTALLERFAILURE`       |                                      The installer failed to install (uninstall) one or more updates.                                       |
-| 0x8024200C |   `WU_E_UH_FALLBACKTOSELFCONTAINED`    |               The update handler should download self-contained content rather than delta-compressed content for the update.                |
-| 0x8024200D |     `WU_E_UH_NEEDANOTHERDOWNLOAD`      |                           The update handler did not install the update because it needs to be downloaded again.                            |
-| 0x8024200E |        `WU_E_UH_NOTIFYFAILURE`         |                     The update handler failed to send notification of the status of the install (uninstall) operation.                      |
-| 0x8024200F |   `WU_E_UH_INCONSISTENT_FILE_NAMES`    |                         The file names contained in the update metadata and in the update package are inconsistent.                         |
-| 0x80242010 |        `WU_E_UH_FALLBACKERROR`         |                                    The update handler failed to fall back to the self-contained content.                                    |
-| 0x80242011 |   `WU_E_UH_TOOMANYDOWNLOADREQUESTS`    |                                  The update handler has exceeded the maximum number of download requests.                                   |
-| 0x80242012 |    `WU_E_UH_UNEXPECTEDCBSRESPONSE`     |                                      The update handler has received an unexpected response from CBS.                                       |
-| 0x80242013 |       `WU_E_UH_BADCBSPACKAGEID`        |                                       The update metadata contains an invalid CBS package identifier.                                       |
-| 0x80242014 |    `WU_E_UH_POSTREBOOTSTILLPENDING`    |                                       The post-reboot operation for the update is still in progress.                                        |
-| 0x80242015 |   `WU_E_UH_POSTREBOOTRESULTUNKNOWN`    |                               The result of the post-reboot operation for the update could not be determined.                               |
-| 0x80242016 |  `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE`   |                            The state of the update after its post-reboot operation has completed is unexpected.                             |
-| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` |                            The OS servicing stack must be updated before this update is downloaded or installed.                            |
-| 0x80242FFF |          `WU_E_UH_UNEXPECTED`          |                                       An update handler error not covered by another `WU_E_UH_*` code.                                      |
+| `0x80242000` |      `WU_E_UH_REMOTEUNAVAILABLE`       |                     A request for a remote update handler couldn't be completed because no remote process is available.                    |
+| `0x80242001`|          `WU_E_UH_LOCALONLY`           |                       A request for a remote update handler couldn't be completed because the handler is local only.                       |
+| `0x80242002` |        `WU_E_UH_UNKNOWNHANDLER`        |                     A request for an update handler couldn't be completed because the handler couldn't be recognized.                     |
+| `0x80242003` |     `WU_E_UH_REMOTEALREADYACTIVE`      |                                  A remote update handler couldn't be created because one already exists.                                   |
+| `0x80242004` |     `WU_E_UH_DOESNOTSUPPORTACTION`     |  A request for the handler to install (uninstall) an update couldn't be completed because the update doesn't support install (uninstall). |
+|`0x80242005` |         `WU_E_UH_WRONGHANDLER`         |                                   An operation didn't complete because the wrong handler was specified.                                    |
+| `0x80242006` |       `WU_E_UH_INVALIDMETADATA`        |                          A handler operation couldn't be completed because the update contains invalid metadata.                           |
+| `0x80242007` |        `WU_E_UH_INSTALLERHUNG`         |                             An operation couldn't be completed because the installer exceeded the time limit.                              |
+| `0x80242008` |      `WU_E_UH_OPERATIONCANCELLED`      |                                        An operation being done by the update handler was canceled.                                          |
+| `0x80242009` |        `WU_E_UH_BADHANDLERXML`         |                            An operation couldn't be completed because the handler-specific metadata is invalid.                            |
+| `0x8024200A` |       `WU_E_UH_CANREQUIREINPUT`        |                A request to the handler to install an update couldn't be completed because the update requires user input.                 |
+| `0x8024200B` |       `WU_E_UH_INSTALLERFAILURE`       |                                      The installer failed to install (uninstall) one or more updates.                                       |
+| `0x8024200C` |   `WU_E_UH_FALLBACKTOSELFCONTAINED`    |               The update handler should download self-contained content rather than delta-compressed content for the update.                |
+| `0x8024200D` |     `WU_E_UH_NEEDANOTHERDOWNLOAD`      |                           The update handler didn't install the update because it needs to be downloaded again.                            |
+| `0x8024200E` |        `WU_E_UH_NOTIFYFAILURE`         |                     The update handler failed to send notification of the status of the install (uninstall) operation.                      |
+| `0x8024200F` |   `WU_E_UH_INCONSISTENT_FILE_NAMES`    |                         The file names contained in the update metadata and in the update package are inconsistent.                         |
+| `0x80242010` |        `WU_E_UH_FALLBACKERROR`         |                                    The update handler failed to fall back to the self-contained content.                                    |
+| `0x80242011` |   `WU_E_UH_TOOMANYDOWNLOADREQUESTS`    |                                  The update handler has exceeded the maximum number of download requests.                                   |
+| `0x80242012` |    `WU_E_UH_UNEXPECTEDCBSRESPONSE`     |                                      The update handler has received an unexpected response from CBS.                                       |
+| `0x80242013` |       `WU_E_UH_BADCBSPACKAGEID`        |                                       The update metadata contains an invalid CBS package identifier.                                       |
+| `0x80242014` |    `WU_E_UH_POSTREBOOTSTILLPENDING`    |                                       The post-reboot operation for the update is still in progress.                                        |
+| `0x80242015` |   `WU_E_UH_POSTREBOOTRESULTUNKNOWN`    |                               The result of the post-reboot operation for the update couldn't be determined.                               |
+| `0x80242016` |  `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE`   |                            The state of the update after its post-reboot operation has completed is unexpected.                             |
+| `0x80242017` | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` |                            The OS servicing stack must be updated before this update is downloaded or installed.                            |
+| `0x80242FFF` |          `WU_E_UH_UNEXPECTED`          |                                       An update handler error not covered by another `WU_E_UH_*` code.                                      |
 
 ## Data Store errors
 
 | Error code |            Message             |                                                                                               Description                                                                                              |
 |------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x80248000 |       `WU_E_DS_SHUTDOWN`       |                                                                   An operation failed because Windows Update Agent is shutting down.                                                                   |
-| 0x80248001 |        `WU_E_DS_INUSE`         |                                                                          An operation failed because the data store was in use.                                                                        |
-| 0x80248002 |       `WU_E_DS_INVALID`        |                                                                     The current and expected states of the data store do not match.                                                                    |
-| 0x80248003 |     `WU_E_DS_TABLEMISSING`     |                                                                                   The data store is missing a table.                                                                                   |
-| 0x80248004 |    `WU_E_DS_TABLEINCORRECT`    |                                                                        The data store contains a table with unexpected columns.                                                                        |
-| 0x80248005 |   `WU_E_DS_INVALIDTABLENAME`   |                                                                 A table could not be opened because the table is not in the data store.                                                                |
-| 0x80248006 |      `WU_E_DS_BADVERSION`      |                                                                    The current and expected versions of the data store do not match.                                                                   |
-| 0x80248007 |        `WU_E_DS_NODATA`        |                                                                           The information requested is not in the data store.                                                                          |
-| 0x80248008 |     `WU_E_DS_MISSINGDATA`      |                                             The data store is missing required information or has a NULL in a table column that requires a non-null value.                                             |
-| 0x80248009 |      `WU_E_DS_MISSINGREF`      |                                    The data store is missing required information or has a reference to missing license terms file localized property or linked row.                                   |
-| 0x8024800A |    `WU_E_DS_UNKNOWNHANDLER`    |                                                            The update was not processed because its update handler could not be recognized.                                                            |
-| 0x8024800B |      `WU_E_DS_CANTDELETE`      |                                                           The update was not deleted because it is still referenced by one or more services.                                                           |
-| 0x8024800C |  `WU_E_DS_LOCKTIMEOUTEXPIRED`  |                                                                  The data store section could not be locked within the allotted time.                                                                  |
-| 0x8024800D |     `WU_E_DS_NOCATEGORIES`     |                                               The category was not added because it contains no parent categories and is not a top-level category itself.                                              |
-| 0x8024800E |      `WU_E_DS_ROWEXISTS`       |                                                                 The row was not added because an existing row has the same primary key.                                                                |
-| 0x8024800F |   `WU_E_DS_STOREFILELOCKED`    |                                                            The data store could not be initialized because it was locked by another process.                                                           |
-| 0x80248010 |    `WU_E_DS_CANNOTREGISTER`    |                                                             The data store is not allowed to be registered with COM in the current process.                                                            |
-| 0x80248011 |    `WU_E_DS_UNABLETOSTART`     |                                                                        Could not create a data store object in another process.                                                                        |
-| 0x80248013 |  `WU_E_DS_DUPLICATEUPDATEID`   |                                                             The server sent the same update to the client with two different revision IDs.                                                             |
-| 0x80248014 |   `WU_E_DS_UNKNOWNSERVICE`     |                                                               An operation did not complete because the service is not in the data store.                                                              |
-| 0x80248015 |   `WU_E_DS_SERVICEEXPIRED`     |                                                           An operation did not complete because the registration of the service has expired.                                                           |
-| 0x80248016 |  `WU_E_DS_DECLINENOTALLOWED`   |                                          A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.                                         |
-| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` |                                                                  A table was not closed because it is not associated with the session.                                                                 |
-| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH`  |                                                                  A table was not closed because it is not associated with the session.                                                                 |
-| 0x80248019 |  `WU_E_DS_NEEDWINDOWSSERVICE`  |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. |
-| 0x8024801A |   `WU_E_DS_INVALIDOPERATION`   |                                                                      A request was declined because the operation is not allowed.                                                                      |
-| 0x8024801B |    `WU_E_DS_SCHEMAMISMATCH`    |                                                  The schema of the current data store and the schema of a table in a backup XML document do not match.                                                 |
-| 0x8024801C |    `WU_E_DS_RESETREQUIRED`     |                                                       The data store requires a session reset; release the session and retry with a new session.                                                       |
-| 0x8024801D |     `WU_E_DS_IMPERSONATED`     |                                                     A data store operation did not complete because it was requested with an impersonated identity.                                                    |
-| 0x80248FFF |      `WU_E_DS_UNEXPECTED`      |                                                                       A data store error not covered by another `WU_E_DS_*` code.                                                                      |
+| `0x80248000` |       `WU_E_DS_SHUTDOWN`       |                                                                   An operation failed because Windows Update Agent is shutting down.                                                                   |
+| `0x80248001` |        `WU_E_DS_INUSE`         |                                                                          An operation failed because the data store was in use.                                                                        |
+| `0x80248002` |       `WU_E_DS_INVALID`        |                                                                     The current and expected states of the data store don't match.                                                                    |
+| `0x80248003` |     `WU_E_DS_TABLEMISSING`     |                                                                                   The data store is missing a table.                                                                                   |
+| `0x80248004` |    `WU_E_DS_TABLEINCORRECT`    |                                                                        The data store contains a table with unexpected columns.                                                                        |
+| `0x80248005` |   `WU_E_DS_INVALIDTABLENAME`   |                                                                 A table couldn't be opened because the table isn't in the data store.                                                                |
+| `0x80248006` |      `WU_E_DS_BADVERSION`      |                                                                    The current and expected versions of the data store don't match.                                                                   |
+| `0x80248007` |        `WU_E_DS_NODATA`        |                                                                           The information requested isn't in the data store.                                                                          |
+| `0x80248008` |     `WU_E_DS_MISSINGDATA`      |                                             The data store is missing required information or has a NULL in a table column that requires a non-null value.                                             |
+| `0x80248009` |      `WU_E_DS_MISSINGREF`      |                                    The data store is missing required information or has a reference to missing license terms file localized property or linked row.                                   |
+| `0x8024800A` |    `WU_E_DS_UNKNOWNHANDLER`    |                                                            The update wasn't processed because its update handler couldn't be recognized.                                                            |
+| `0x8024800B` |      `WU_E_DS_CANTDELETE`      |                                                           The update wasn't deleted because it's still referenced by one or more services.                                                           |
+| `0x8024800C` |  `WU_E_DS_LOCKTIMEOUTEXPIRED`  |                                                                  The data store section couldn't be locked within the allotted time.                                                                  |
+| `0x8024800D` |     `WU_E_DS_NOCATEGORIES`     |                                               The category wasn't added because it contains no parent categories and isn't a top-level category itself.                                              |
+| `0x8024800E` |      `WU_E_DS_ROWEXISTS`       |                                                                 The row wasn't added because an existing row has the same primary key.                                                                |
+| `0x8024800F` |   `WU_E_DS_STOREFILELOCKED`    |                                                            The data store couldn't be initialized because it was locked by another process.                                                           |
+| `0x80248010` |    `WU_E_DS_CANNOTREGISTER`    |                                                             The data store isn't allowed to be registered with COM in the current process.                                                            |
+| `0x80248011` |    `WU_E_DS_UNABLETOSTART`     |                                                                        Couldn't create a data store object in another process.                                                                        |
+| `0x80248013` |  `WU_E_DS_DUPLICATEUPDATEID`   |                                                             The server sent the same update to the client with two different revision IDs.                                                             |
+| `0x80248014` |   `WU_E_DS_UNKNOWNSERVICE`     |                                                               An operation didn't complete because the service isn't in the data store.                                                              |
+| `0x80248015` |   `WU_E_DS_SERVICEEXPIRED`     |                                                           An operation didn't complete because the registration of the service has expired.                                                           |
+| `0x80248016` |  `WU_E_DS_DECLINENOTALLOWED`   |                                          A request to hide an update was declined because it's a mandatory update or because it was deployed with a deadline.                                         |
+| `0x80248017` | `WU_E_DS_TABLESESSIONMISMATCH` |                                                                  A table wasn't closed because it isn't associated with the session.                                                                 |
+| `0x80248018` | `WU_E_DS_SESSIONLOCKMISMATCH`  |                                                                  A table wasn't closed because it isn't associated with the session.                                                                 |
+| `0x80248019` |  `WU_E_DS_NEEDWINDOWSSERVICE`  |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it's a built-in service and/or Automatic Updates can't fall back to another service. |
+| `0x8024801A` |   `WU_E_DS_INVALIDOPERATION`   |                                                                      A request was declined because the operation isn't allowed.                                                                      |
+| `0x8024801B` |    `WU_E_DS_SCHEMAMISMATCH`    |                                                  The schema of the current data store and the schema of a table in a backup XML document don't match.                                                 |
+| `0x8024801C` |    `WU_E_DS_RESETREQUIRED`     |                                                       The data store requires a session reset; release the session and retry with a new session.                                                       |
+| `0x8024801D` |     `WU_E_DS_IMPERSONATED`     |                                                     A data store operation didn't complete because it was requested with an impersonated identity.                                                    |
+| `0x80248FFF` |      `WU_E_DS_UNEXPECTED`      |                                                                       A data store error not covered by another `WU_E_DS_*` code.                                                                      |
 
 ## Driver Util errors
-The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. 
+The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped. 
 
 | Error code |  Message                      | Description                                                                                    |
 |------------|-------------------------------|------------------------------------------------------------------------------------------------|
-| 0x8024C001 | `WU_E_DRV_PRUNED`             | A driver was skipped.                                                                          |
-| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY`   | A property for the driver could not be found. It may not conform with required specifications. |
-| 0x8024C003 | `WU_E_DRV_REG_MISMATCH`       | The registry type read for the driver does not match the expected type.                        |
-| 0x8024C004 | `WU_E_DRV_NO_METADATA`        | The driver update is missing metadata.                                                         |
-| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE`  | The driver update is missing a required attribute.                                             |
-| 0x8024C006 | `WU_E_DRV_SYNC_FAILED`        | Driver synchronization failed.                                                                 |
-| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing.                |
-| 0x8024CFFF | `WU_E_DRV_UNEXPECTED`         | A driver error not covered by another `WU_E_DRV_*` code.                                       |
+| `0x8024C001` | `WU_E_DRV_PRUNED`             | A driver was skipped.                                                                          |
+| `0x8024C002` | `WU_E_DRV_NOPROP_OR_LEGACY`   | A property for the driver couldn't be found. It may not conform with required specifications. |
+| `0x8024C003` | `WU_E_DRV_REG_MISMATCH`       | The registry type read for the driver doesn't match the expected type.                        |
+| `0x8024C004` | `WU_E_DRV_NO_METADATA`        | The driver update is missing metadata.                                                         |
+| `0x8024C005` | `WU_E_DRV_MISSING_ATTRIBUTE`  | The driver update is missing a required attribute.                                             |
+| `0x8024C006` | `WU_E_DRV_SYNC_FAILED`        | Driver synchronization failed.                                                                 |
+| `0x8024C007` | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing.                |
+| `0x8024CFFF` | `WU_E_DRV_UNEXPECTED`         | A driver error not covered by another `WU_E_DRV_*` code.                                       |
 
 ## Windows Update error codes
 
 | Error code |  Message                          | Description                                                  |
 |------------|-----------------------------------|--------------------------------------------------------------|
-| 0x80240001 | `WU_E_NO_SERVICE`                 | Windows Update Agent was unable to provide the service.
-| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED`       | The maximum capacity of the service was exceeded.
-| 0x80240003 | `WU_E_UNKNOWN_ID`                 | An ID cannot be found.
-| 0x80240004 | `WU_E_NOT_INITIALIZED`            | The object could not be initialized.
-| 0x80240005 | `WU_E_RANGEOVERLAP`               | The update handler requested a byte range overlapping a previously requested range.
-| 0x80240006 | `WU_E_TOOMANYRANGES`              | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
-| 0x80240007 | `WU_E_INVALIDINDEX`               | The index to a collection was invalid.
-| 0x80240008 | `WU_E_ITEMNOTFOUND`               | The key for the item queried could not be found.
-| 0x80240009 | `WU_E_OPERATIONINPROGRESS`        | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.
-| 0x8024000A | `WU_E_COULDNOTCANCEL`             | Cancellation of the operation was not allowed.
-| 0x8024000B | `WU_E_CALL_CANCELLED`             | Operation was canceled.
-| 0x8024000C | `WU_E_NOOP`                       | No operation was required.
-| 0x8024000D | `WU_E_XML_MISSINGDATA`            | Windows Update Agent could not find required information in the update's XML data.
-| 0x8024000E | `WU_E_XML_INVALID`                | Windows Update Agent found invalid information in the update's XML data.
-| 0x8024000F | `WU_E_CYCLE_DETECTED`             | Circular update relationships were detected in the metadata.
-| 0x80240010 | `WU_E_TOO_DEEP_RELATION`          | Update relationships too deep to evaluate were evaluated.
-| 0x80240011 | `WU_E_INVALID_RELATIONSHIP`       | An invalid update relationship was detected.
-| 0x80240012 | `WU_E_REG_VALUE_INVALID`          | An invalid registry value was read.
-| 0x80240013 | `WU_E_DUPLICATE_ITEM`             | Operation tried to add a duplicate item to a list.  
-| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED`        | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
-| 0x80240017 | `WU_E_NOT_APPLICABLE`             | Operation was not performed because there are no applicable updates.
-| 0x80240018 | `WU_E_NO_USERTOKEN`               | Operation failed because a required user token is missing.
-| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time.
-| 0x8024001A | `WU_E_POLICY_NOT_SET`             | A policy value was not set.  
-| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS`     | The operation could not be performed because the Windows Update Agent is self-updating.
-| 0x8024001D | `WU_E_INVALID_UPDATE`             | An update contains invalid metadata.
-| 0x8024001E | `WU_E_SERVICE_STOP`               | Operation did not complete because the service or system was being shut down.
-| 0x8024001F | `WU_E_NO_CONNECTION`              | Operation did not complete because the network connection was unavailable.
-| 0x80240020 | `WU_E_NO_INTERACTIVE_USER`        | Operation did not complete because there is no logged-on interactive user.
-| 0x80240021 | `WU_E_TIME_OUT`                   | Operation did not complete because it timed out.
-| 0x80240022 | `WU_E_ALL_UPDATES_FAILED`         | Operation failed for all the updates.
-| 0x80240023 | `WU_E_EULAS_DECLINED`             | The license terms for all updates were declined.
-| 0x80240024 | `WU_E_NO_UPDATE`                  | There are no updates.
-| 0x80240025 | `WU_E_USER_ACCESS_DISABLED`       | Group Policy settings prevented access to Windows Update.
-| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE`        | The type of update is invalid.
-| 0x80240027 | `WU_E_URL_TOO_LONG`               | The URL exceeded the maximum length.  
-| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED`      | The update could not be uninstalled because the request did not originate from a WSUS server.
-| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE`    | Search may have missed some updates before there is an unlicensed application on the system.
-| 0x8024002A | `WU_E_MISSING_HANDLER`            | A component required to detect applicable updates was missing.
-| 0x8024002B | `WU_E_LEGACYSERVER`               | An operation did not complete because it requires a newer version of server.
-| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT`          | A delta-compressed update could not be installed because it required the source.
-| 0x8024002D | `WU_E_SOURCE_ABSENT`              | A full-file update could not be installed because it required the source.
-| 0x8024002E | `WU_E_WU_DISABLED`                | Access to an unmanaged server is not allowed.
-| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY`   | Operation did not complete because the DisableWindowsUpdateAccess policy was set.
-| 0x80240030 | `WU_E_INVALID_PROXY_SERVER`       | The format of the proxy list was invalid.
-| 0x80240031 | `WU_E_INVALID_FILE`               | The file is in the wrong format.
-| 0x80240032 | `WU_E_INVALID_CRITERIA`           | The search criteria string was invalid.
-| 0x80240033 | `WU_E_EULA_UNAVAILABLE`           | License terms could not be downloaded.
-| 0x80240034 | `WU_E_DOWNLOAD_FAILED`            | Update failed to download.
-| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED`       | The update was not processed.
-| 0x80240036 | `WU_E_INVALID_OPERATION`          | The object's current state did not allow the operation.
-| 0x80240037 | `WU_E_NOT_SUPPORTED`              | The functionality for the operation is not supported.
-| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE`       | The downloaded file has an unexpected content type.
-| 0x80240039 | `WU_E_TOO_MANY_RESYNC`            | Agent is asked by server to resync too many times.
-| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT`     | `WUA API` method does not run on Server Core installation.
-| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS`        | Service is not available while sysprep is running.
-| 0x80240042 | `WU_E_UNKNOWN_SERVICE`            | The update service is no longer registered with `AU`.
-| 0x80240043 | `WU_E_NO_UI_SUPPORT`              | There is no support for `WUA UI`.
-| 0x80240FFF | `WU_E_UNEXPECTED`                 | An operation failed due to reasons not covered by another error code.
-| 0x80070422 |                                   | Windows Update service stopped working or is not running.
+| `0x80240001` | `WU_E_NO_SERVICE`                 | Windows Update Agent was unable to provide the service.
+| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED`       | The maximum capacity of the service was exceeded.
+| `0x80240003` | `WU_E_UNKNOWN_ID`                 | An ID can't be found.
+| `0x80240004` | `WU_E_NOT_INITIALIZED`            | The object couldn't be initialized.
+| `0x80240005` | `WU_E_RANGEOVERLAP`               | The update handler requested a byte range overlapping a previously requested range.
+| `0x80240006` | `WU_E_TOOMANYRANGES`              | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
+| `0x80240007` | `WU_E_INVALIDINDEX`               | The index to a collection was invalid.
+| `0x80240008` | `WU_E_ITEMNOTFOUND`               | The key for the item queried couldn't be found.
+| `0x80240009` | `WU_E_OPERATIONINPROGRESS`        | Another conflicting operation was in progress. Some operations such as installation can't be performed twice simultaneously.
+| `0x8024000A` | `WU_E_COULDNOTCANCEL`             | Cancellation of the operation wasn't allowed.
+| `0x8024000B` | `WU_E_CALL_CANCELLED`             | Operation was canceled.
+| `0x8024000C` | `WU_E_NOOP`                       | No operation was required.
+| `0x8024000D` | `WU_E_XML_MISSINGDATA`            | Windows Update Agent couldn't find required information in the update's XML data.
+| `0x8024000E` | `WU_E_XML_INVALID`                | Windows Update Agent found invalid information in the update's XML data.
+| `0x8024000F` | `WU_E_CYCLE_DETECTED`             | Circular update relationships were detected in the metadata.
+| `0x80240010` | `WU_E_TOO_DEEP_RELATION`          | Update relationships too deep to evaluate were evaluated.
+| `0x80240011` | `WU_E_INVALID_RELATIONSHIP`       | An invalid update relationship was detected.
+| `0x80240012` | `WU_E_REG_VALUE_INVALID`          | An invalid registry value was read.
+| `0x80240013` | `WU_E_DUPLICATE_ITEM`             | Operation tried to add a duplicate item to a list.  
+| `0x80240016` | `WU_E_INSTALL_NOT_ALLOWED`        | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
+| `0x80240017` | `WU_E_NOT_APPLICABLE`             | Operation wasn't performed because there are no applicable updates.
+| `0x80240018` | `WU_E_NO_USERTOKEN`               | Operation failed because a required user token is missing.
+| `0x80240019` | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update can't be installed with other updates at the same time.
+| `0x8024001A` | `WU_E_POLICY_NOT_SET`             | A policy value wasn't set.  
+| `0x8024001B` | `WU_E_SELFUPDATE_IN_PROGRESS`     | The operation couldn't be performed because the Windows Update Agent is self-updating.
+| `0x8024001D` | `WU_E_INVALID_UPDATE`             | An update contains invalid metadata.
+| `0x8024001E` | `WU_E_SERVICE_STOP`               | Operation didn't complete because the service or system was being shut down.
+| `0x8024001F` | `WU_E_NO_CONNECTION`              | Operation didn't complete because the network connection was unavailable.
+| `0x80240020` | `WU_E_NO_INTERACTIVE_USER`        | Operation didn't complete because there's no logged-on interactive user.
+| `0x80240021` | `WU_E_TIME_OUT`                   | Operation didn't complete because it timed out.
+| `0x80240022` | `WU_E_ALL_UPDATES_FAILED`         | Operation failed for all the updates.
+| `0x80240023` | `WU_E_EULAS_DECLINED`             | The license terms for all updates were declined.
+| `0x80240024` | `WU_E_NO_UPDATE`                  | There are no updates.
+| `0x80240025` | `WU_E_USER_ACCESS_DISABLED`       | Group Policy settings prevented access to Windows Update.
+| `0x80240026` | `WU_E_INVALID_UPDATE_TYPE`        | The type of update is invalid.
+| `0x80240027` | `WU_E_URL_TOO_LONG`               | The URL exceeded the maximum length.  
+| `0x80240028` | `WU_E_UNINSTALL_NOT_ALLOWED`      | The update couldn't be uninstalled because the request didn't originate from a WSUS server.
+| `0x80240029` | `WU_E_INVALID_PRODUCT_LICENSE`    | Search may have missed some updates before there's an unlicensed application on the system.
+| `0x8024002A` | `WU_E_MISSING_HANDLER`            | A component required to detect applicable updates was missing.
+| `0x8024002B` | `WU_E_LEGACYSERVER`               | An operation didn't complete because it requires a newer version of server.
+| `0x8024002C` | `WU_E_BIN_SOURCE_ABSENT`          | A delta-compressed update couldn't be installed because it required the source.
+| `0x8024002D` | `WU_E_SOURCE_ABSENT`              | A full-file update couldn't be installed because it required the source.
+| `0x8024002E` | `WU_E_WU_DISABLED`                | Access to an unmanaged server isn't allowed.
+| `0x8024002F` | `WU_E_CALL_CANCELLED_BY_POLICY`   | Operation didn't complete because the DisableWindowsUpdateAccess policy was set.
+| `0x80240030` | `WU_E_INVALID_PROXY_SERVER`       | The format of the proxy list was invalid.
+| `0x80240031` | `WU_E_INVALID_FILE`               | The file is in the wrong format.
+| `0x80240032` | `WU_E_INVALID_CRITERIA`           | The search criteria string was invalid.
+| `0x80240033` | `WU_E_EULA_UNAVAILABLE`           | License terms couldn't be downloaded.
+| `0x80240034` | `WU_E_DOWNLOAD_FAILED`            | Update failed to download.
+| `0x80240035` | `WU_E_UPDATE_NOT_PROCESSED`       | The update wasn't processed.
+| `0x80240036` | `WU_E_INVALID_OPERATION`          | The object's current state didn't allow the operation.
+| `0x80240037` | `WU_E_NOT_SUPPORTED`              | The functionality for the operation isn't supported.
+| `0x80240038` | `WU_E_WINHTTP_INVALID_FILE`       | The downloaded file has an unexpected content type.
+| `0x80240039` | `WU_E_TOO_MANY_RESYNC`            | Agent is asked by server to resync too many times.
+| `0x80240040` | `WU_E_NO_SERVER_CORE_SUPPORT`     | `WUA API` method doesn't run on Server Core installation.
+| `0x80240041` | `WU_E_SYSPREP_IN_PROGRESS`        | Service isn't available while sysprep is running.
+| `0x80240042` | `WU_E_UNKNOWN_SERVICE`            | The update service is no longer registered with `AU`.
+| `0x80240043` | `WU_E_NO_UI_SUPPORT`              | There's no support for `WUA UI`.
+| `0x80240FFF` | `WU_E_UNEXPECTED`                 | An operation failed due to reasons not covered by another error code.
+| `0x80070422` |                                   | Windows Update service stopped working or isn't running.
 
 ## Windows Update success codes
 
 | Error code |  Message                     | Description                                                                                                                         |
 |------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
-| 0x00240001 | `WU_S_SERVICE_STOP`          | Windows Update Agent was stopped successfully.                                                                                      |
-| 0x00240002 | `WU_S_SELFUPDATE`            | Windows Update Agent updated itself.                                                                                                |
-| 0x00240003 | `WU_S_UPDATE_ERROR`          | Operation completed successfully but there were errors applying the updates.                                                        |
-| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
-| 0x00240005 | `WU_S_REBOOT_REQUIRED`       | The system must be restarted to complete installation of the update.                                                                |
-| 0x00240006 | `WU_S_ALREADY_INSTALLED`     | The update to be installed is already installed on the system.                                                                      |
-| 0x00240007 | `WU_S_ALREADY_UNINSTALLED`   | The update to be removed is not installed on the system.                                                                            |
-| 0x00240008 | `WU_S_ALREADY_DOWNLOADED`    | The update to be downloaded has already been downloaded.                                                                            |
+| `0x00240001` | `WU_S_SERVICE_STOP`          | Windows Update Agent was stopped successfully.                                                                                      |
+| `0x00240002` | `WU_S_SELFUPDATE`            | Windows Update Agent updated itself.                                                                                                |
+| `0x00240003` | `WU_S_UPDATE_ERROR`          | Operation completed successfully but there were errors applying the updates.                                                        |
+| `0x00240004` | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
+| `0x00240005` | `WU_S_REBOOT_REQUIRED`       | The system must be restarted to complete installation of the update.                                                                |
+| `0x00240006` | `WU_S_ALREADY_INSTALLED`     | The update to be installed is already installed on the system.                                                                      |
+| `0x00240007` | `WU_S_ALREADY_UNINSTALLED`   | The update to be removed isn't installed on the system.                                                                            |
+| `0x00240008` | `WU_S_ALREADY_DOWNLOADED`    | The update to be downloaded has already been downloaded.                                                                            |
 
 ## Windows Installer minor errors
-The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer.  
+The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer.  
 
 | Error code |  Message                     | Description                                                                                 |
 |------------|------------------------------|---------------------------------------------------------------------------------------------|
-| 0x80241001 | `WU_E_MSI_WRONG_VERSION`     | Search may have missed some updates because the Windows Installer is less than version 3.1. |
-| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED`    | Search may have missed some updates because the Windows Installer is not configured.        |
-| 0x80241003 | `WU_E_MSP_DISABLED`          | Search may have missed some updates because policy has disabled Windows Installer patching. |
-| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user.               |
-| 0x80241FFF | `WU_E_MSP_UNEXPECTED`        | Search may have missed some updates because there was a failure of the Windows Installer.   |
+| `0x80241001` | `WU_E_MSI_WRONG_VERSION`     | Search may have missed some updates because the Windows Installer is less than version 3.1. |
+| `0x80241002` | `WU_E_MSI_NOT_CONFIGURED`    | Search may have missed some updates because the Windows Installer isn't configured.        |
+| `0x80241003` | `WU_E_MSP_DISABLED`          | Search may have missed some updates because policy has disabled Windows Installer patching. |
+| `0x80241004` | `WU_E_MSI_WRONG_APP_CONTEXT` | An update couldn't be applied because the application is installed per-user.               |
+| `0x80241FFF` | `WU_E_MSP_UNEXPECTED`        | Search may have missed some updates because there was a failure of the Windows Installer.   |
  
 ## Windows Update Agent update and setup errors
 
 | Error code |  Message                               | Description                                                                                                                       |
 |------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA`           | Windows Update Agent could not be updated because an INF file contains invalid information.                                       |
-| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA`         | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information.                            |
-| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED`       | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.    |
-| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED`           | Windows Update Agent could not be updated because setup initialization never completed successfully.                              |
-| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH`   | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. |
-| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER`    | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.    |
-| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED`       | Windows Update Agent could not be updated because `regsvr32.exe` returned an error.                                               |
-| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE`               | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file.                                   |
-| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported.                              |
-| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION`     | Windows Update Agent could not be updated because the system is configured to block the update.                                   |
-| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX`             | Windows Update Agent could not be updated because a restart of the system is required.                                            |
-| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING`            | Windows Update Agent setup is already running.                                                                                    |
-| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED`            | Windows Update Agent setup package requires a reboot to complete installation.                                                    |
-| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE`      | Windows Update Agent could not be updated because the setup handler failed during execution.                                      |
-| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA`     | Windows Update Agent could not be updated because the registry contains invalid information.                                      |
-| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION`      | Windows Update Agent could not be updated because the server does not contain update information for this version.                |
-| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED`                | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code.                   |
+| `0x8024D001` | `WU_E_SETUP_INVALID_INFDATA`           | Windows Update Agent couldn't be updated because an INF file contains invalid information.                                       |
+| `0x8024D002` | `WU_E_SETUP_INVALID_IDENTDATA`         | Windows Update Agent couldn't be updated because the `wuident.cab` file contains invalid information.                            |
+| `0x8024D003` | `WU_E_SETUP_ALREADY_INITIALIZED`       | Windows Update Agent couldn't be updated because of an internal error that caused setup initialization to be performed twice.    |
+| `0x8024D004` | `WU_E_SETUP_NOT_INITIALIZED`           | Windows Update Agent couldn't be updated because setup initialization never completed successfully.                              |
+| `0x8024D005` | `WU_E_SETUP_SOURCE_VERSION_MISMATCH`   | Windows Update Agent couldn't be updated because the versions specified in the INF don't match the actual source file versions. |
+| `0x8024D006` | `WU_E_SETUP_TARGET_VERSION_GREATER`    | Windows Update Agent couldn't be updated because a WUA file on the target system is newer than the corresponding source file.    |
+| `0x8024D007` | `WU_E_SETUP_REGISTRATION_FAILED`       | Windows Update Agent couldn't be updated because `regsvr32.exe` returned an error.                                               |
+| `0x8024D009` | `WU_E_SETUP_SKIP_UPDATE`               | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file.                                   |
+| `0x8024D00A` | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent couldn't be updated because the current system configuration isn't supported.                              |
+| `0x8024D00B` | `WU_E_SETUP_BLOCKED_CONFIGURATION`     | Windows Update Agent couldn't be updated because the system is configured to block the update.                                   |
+| `0x8024D00C` | `WU_E_SETUP_REBOOT_TO_FIX`             | Windows Update Agent couldn't be updated because a restart of the system is required.                                            |
+| `0x8024D00D` | `WU_E_SETUP_ALREADYRUNNING`            | Windows Update Agent setup is already running.                                                                                    |
+| `0x8024D00E` | `WU_E_SETUP_REBOOTREQUIRED`            | Windows Update Agent setup package requires a reboot to complete installation.                                                    |
+| `0x8024D00F` | `WU_E_SETUP_HANDLER_EXEC_FAILURE`      | Windows Update Agent couldn't be updated because the setup handler failed during execution.                                      |
+| `0x8024D010` | `WU_E_SETUP_INVALID_REGISTRY_DATA`     | Windows Update Agent couldn't be updated because the registry contains invalid information.                                      |
+| `0x8024D013` | `WU_E_SETUP_WRONG_SERVER_VERSION`      | Windows Update Agent couldn't be updated because the server doesn't contain update information for this version.                |
+| `0x8024DFFF` | `WU_E_SETUP_UNEXPECTED`                | Windows Update Agent couldn't be updated because of an error not covered by another `WU_E_SETUP_*` error code.                   |
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index b4ab1cd282..2279f4318c 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -2,20 +2,22 @@
 title: Windows Update log files
 description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: troubleshooting
 author: mestew
 ms.author: mstewart
 manager: aaroncz
-ms.topic: troubleshooting
 ms.collection:
   - highpri
   - tier2
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 12/31/2017
 ---
 
 # Windows Update log files
 
->Applies to: Windows 10
 
 The following table describes the log files created by Windows Update.
 
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index cf56c12408..7965aa2782 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -2,12 +2,15 @@
 title: Get started with Windows Update
 description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
 manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 09/18/2018
-ms.topic: article
-ms.technology: itpro-updates
 ---
 
 # Get started with Windows Update
@@ -31,7 +34,7 @@ To understand the changes to the Windows Update architecture that UUP introduces
 
 ![Windows Update terminology.](images/update-terminology.png)
 
-- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. 
+- **Update UI** - The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. 
 - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.  
 
    Update types- 
@@ -51,5 +54,5 @@ To understand the changes to the Windows Update architecture that UUP introduces
  
 Additional components include the following- 
 
-- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. 
-- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.  
+- **CompDB** - A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. 
+- **Action List** - The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.  
diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md
index 9cf0c08919..ab1ed81b28 100644
--- a/windows/deployment/update/windows-update-security.md
+++ b/windows/deployment/update/windows-update-security.md
@@ -1,13 +1,16 @@
 ---
 title: Windows Update security
 manager: aaroncz
-description: Overview of the security for Windows Update.
+description: Overview of the security for Windows Update including security for the metadata exchange and content download.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
-ms.topic: article
-ms.date: 10/25/2022
-ms.technology: itpro-updates
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 08/28/2023
 ---
 
 # Windows Update security
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 96a06feeab..714ea509f5 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -1,48 +1,71 @@
 ---
-title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
+title: Enforce compliance deadlines with policies
+titleSuffix: Windows Update for Business
 description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 05/12/2023
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 10/10/2023
 ---
 # Enforcing compliance deadlines for updates
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
 
-With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as separate settings:
 
-- Update/ConfigureDeadlineForFeatureUpdates
-- Update/ConfigureDeadlineForQualityUpdates
-- Update/ConfigureDeadlineGracePeriod
-- Update/ConfigureDeadlineNoAutoReboot
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates) 
+- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates) (Windows 11, version 22H2 or later)
+- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
 
-### Policy setting overview
+
+## Policy setting overview for clients running Windows 11, version 22H2 and later
+
+|Policy| Description |
+|-|-|
+| Specify deadlines for automatic updates and restarts | This policy lets you specify the number of days before quality and feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
+
+### Suggested configurations for clients running Windows 11, version 22H2 and later
+
+| Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
+|-|-|-|-|-|-|
+| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
+
+When **Specify deadlines for automatic updates and restarts** is set:
+
+The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.
+
+The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.
+
+> [!NOTE]
+> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+
+## Policy setting overview for clients running Windows 11, version 21H2 and earlier
 
 |Policy|Description |
 |-|-|
 | (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
 
-### Suggested configurations
+### Suggested configurations for clients running Windows 11, version 21H2 and earlier
 
 |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
 |-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts    | 2 | 2 | 5 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts  | 2 | 7 | 2 |
 
 When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
 
-For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
+For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device tries to update outside of active hours. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) 
 
-For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
+For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device tries to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in the background). When the pending restart time is reached, the device notifies the user and tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours.
 
 > [!NOTE]
-> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+> - When using the newer policy that contains **Feature updates grace period in days**, this setting is ignored by clients that are running Windows 11 version 21H2 and earlier. The grace period for quality updates is used for both quality updates and feature updates for these clients.
+> - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 8d7b1f616c..0e0b313437 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -1,19 +1,24 @@
 ---
 title: Microsoft 365 admin center software updates page
+titleSuffix: Windows Update for Business reports
 manager: aaroncz
 description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
-ms.topic: article
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows Update for Business reports</a>	
+- ✅ <a href=https://learn.microsoft.com/microsoft-365/admin/admin-overview/admin-center-overview >Microsoft 365 admin center</a>	
 ms.date: 04/26/2023
-ms.technology: itpro-updates
 ---
 
 # Microsoft 365 admin center software updates page
 <!--37063317, 30141258, 37063041, ID2616577, ID2582518 -->
-***(Applies to: Windows 11 & Windows 10 using [Windows Update for Business reports](wufb-reports-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))***
 
 The **Software updates** page in the [Microsoft 365 admin center](https://admin.microsoft.com) displays a high-level overview of the installation status for Microsoft 365 Apps and Windows updates in your environment. [Quality updates](quality-updates.md) that contain security fixes are typically released on the second Tuesday of each month. Ensuring these updates are installed is important because they help protect you from known vulnerabilities. The **Software updates** page allows you to easily determine the overall update compliance for your devices.
 
diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md
index dc875c8675..395856651d 100644
--- a/windows/deployment/update/wufb-reports-configuration-intune.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -1,20 +1,21 @@
 ---
-title: Configuring Microsoft Intune devices for Windows Update for Business reports
-manager: aaroncz
-description: Configuring devices that are enrolled in Microsoft Intune for Windows Update for Business reports
+title: Configure devices using Microsoft Intune
+titleSuffix: Windows Update for Business reports
+description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
+manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: article
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11 and Windows 10</a> devices managed by <a href=https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune target=_blank>Microsoft Intune</a>
 ms.date: 03/08/2023
-ms.technology: itpro-updates
 ---
 
 # Configuring Microsoft Intune devices for Windows Update for Business reports
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)***
-
 
 This article is targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Windows Update for Business reports, within Microsoft Intune itself. Configuring devices for Windows Update for Business reports in Microsoft Intune breaks down to the following steps:
 
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 1d156ad5b7..3f3c8c7937 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -1,19 +1,22 @@
 ---
-title: Manually configuring devices for Windows Update for Business reports
-manager: aaroncz
-description: How to manually configure devices for Windows Update for Business reports
+title: Manually configure devices to send data
+titleSuffix: Windows Update for Business reports
+description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
+manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: article
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 11/15/2022
-ms.technology: itpro-updates
 ---
 
 # Manually configuring devices for Windows Update for Business reports
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
 
 There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
 
diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md
index 69feacba6f..10af47e205 100644
--- a/windows/deployment/update/wufb-reports-configuration-script.md
+++ b/windows/deployment/update/wufb-reports-configuration-script.md
@@ -1,19 +1,22 @@
 ---
-title: Windows Update for Business reports configuration script
-manager: aaroncz
-description: Downloading and using the Windows Update for Business reports configuration script
+title: Configure clients with a script
+titleSuffix: Windows Update for Business reports
+description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
+manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: article
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 07/11/2023
-ms.technology: itpro-updates
 ---
 
 # Configuring devices through the Windows Update for Business reports configuration script
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
 
 The Windows Update for Business reports configuration script is the recommended method of configuring devices to send data to Microsoft for use with Windows Update for Business reports. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configure devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
 
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index ddb2f0861d..d71d76d0be 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -1,19 +1,22 @@
 ---
-title: Delivery Optimization data in Windows Update for Business reports
-manager: aaroncz
-description: Provides information about Delivery Optimization data in Windows Update for Business reports 
+title: Delivery Optimization data in reports
+titleSuffix: Windows Update for Business reports
+description: This article provides information about Delivery Optimization data in Windows Update for Business reports. 
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 04/12/2023
-ms.technology: itpro-updates
 ---
 
 # Delivery Optimization data in Windows Update for Business reports
-
 <!--7715481-->
-***(Applies to: Windows 11 & Windows 10)***
 
 [Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
 
@@ -92,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below
 
 ## Mapping GroupID
 
-In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
+In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash and is case sensitive. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
 
 ```powershell
 $text = "<myOriginalGroupID>`0" ; # The `0 null terminator is required
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index c29c9dced3..27a5b5ad14 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -1,19 +1,21 @@
 ---
 title: Enable Windows Update for Business reports
-manager: aaroncz
-description: How to enable Windows Update for Business reports through the Azure portal
+titleSuffix: Windows Update for Business reports
+description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 07/11/2023
-ms.technology: itpro-updates
 ---
 
 # Enable Windows Update for Business reports
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. The two main steps for setting up  Windows Update for Business reports are:
 
 1. [Add Windows Update for Business reports](#bkmk_add) to your Azure subscription. This step has the following phases:
diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml
index 98ba761d81..fe8f250ece 100644
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@@ -1,14 +1,15 @@
 ### YamlMime:FAQ
 metadata:
-  title: Windows Update for Business reports - Frequently Asked Questions (FAQ)
+  title: Frequently Asked Questions (FAQ)
+  titleSuffix: Windows Update for Business reports
   description: Answers to frequently asked questions about Windows Update for Business reports.
   ms.prod: windows-client
+  ms.technology: itpro-updates
   ms.topic: faq
-  ms.date: 06/20/2023
   manager: aaroncz
   author: mestew
   ms.author: mstewart
-  ms.technology: itpro-updates
+  ms.date: 06/20/2023
 title: Frequently Asked Questions about Windows Update for Business reports
 summary: |
   This article answers frequently asked questions about Windows Update for Business reports. <!--7760853-->
@@ -54,7 +55,7 @@ sections:
     questions:
       - question: What is Windows Update for Business reports?
         answer: |
-          Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.  
+          Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.  
       - question: Is Windows Update for Business reports free?
         answer: |
           Data ingested into your Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if [Microsoft Sentinel](/azure/sentinel/overview) is enabled on the workspace). Data ingested into [Application Insights](/azure/azure-monitor/app/app-insights-overview), either classic or workspace-based, is retained for 90 days without any charge.
@@ -179,4 +180,4 @@ sections:
             [Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization events.
       - question: The report represents the last 28 days of data, why do some queries include >= seven days?
         answer: |
-            The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.
\ No newline at end of file
+            The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.
diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md
index 90184b8f3e..49268fb5a7 100644
--- a/windows/deployment/update/wufb-reports-help.md
+++ b/windows/deployment/update/wufb-reports-help.md
@@ -1,20 +1,21 @@
 ---
-title: Windows Update for Business reports feedback, support, and troubleshooting
-manager: aaroncz
-description: Windows Update for Business reports support information.
+title: Feedback, support, and troubleshooting
+titleSuffix: Windows Update for Business reports
+description: Windows Update for Business reports support, feedback, and troubleshooting information.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: article
 author: mestew
 ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 02/10/2023
-ms.technology: itpro-updates
 ---
 
 # Windows Update for Business reports feedback, support, and troubleshooting
-
 <!-- MAX6325272, OS33771278 -->
-***(Applies to: Windows 11 & Windows 10)***
-
 There are several resources that you can use to find help with Windows Update for Business reports. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Windows Update for Business reports:
 
 - Send [product feedback about Windows Update for Business reports](#send-product-feedback)
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
index 13c5e19777..a38066595f 100644
--- a/windows/deployment/update/wufb-reports-overview.md
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -1,20 +1,22 @@
 ---
 title: Windows Update for Business reports overview
-manager: aaroncz
+titleSuffix: Windows Update for Business reports
 description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
 author: mestew
 ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 11/15/2022
-ms.technology: itpro-updates
 ---
 
 # Windows Update for Business reports overview
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
-Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
+Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
 
 - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
 - Report on devices with update compliance issues
@@ -54,7 +56,7 @@ Windows Update for Business reports is a Windows service hosted in Azure that us
 
 ## How Windows Update for Business reports works
 
-You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Azure AD-joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
+You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Microsoft Entra joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
 
 - Update deployment progress
 - Delivery Optimization usage data
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index bdd9e61896..3b3527ba45 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -1,27 +1,31 @@
 ---
-title: Windows Update for Business reports prerequisites
-manager: aaroncz
-description: Prerequisites for Windows Update for Business reports
+title: Prerequisites for Windows Update for Business reports
+titleSuffix: Windows Update for Business reports
+description: List of prerequisites for enabling and using Windows Update for Business reports in your organization.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
-ms.topic: article
-ms.date: 06/27/2023
-ms.technology: itpro-updates
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 08/30/2023
 ---
 
 # Windows Update for Business reports prerequisites
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
 
-## Azure and Azure Active Directory
+<a name='azure-and-azure-active-directory'></a>
 
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
-  - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-- Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
+## Azure and Microsoft Entra ID
+
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/)
+- Devices must be Microsoft Entra joined and meet the below OS, diagnostic, and endpoint access requirements.
+  - Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+- Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
 - The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
 - Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
 
@@ -68,7 +72,7 @@ Device names don't appear in Windows Update for Business reports unless you indi
 
 Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices.  For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
 
-## Data transmission requirements
+## Endpoints
 
 <!--Using include for endpoint access requirements-->
 [!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index 364bed3d49..9966c6a6ad 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -1,25 +1,29 @@
 ---
-title: Windows Update for Business reports Data Schema - UCClient
-manager: aaroncz
-description: UCClient schema
+title: UCClient data schema
+titleSuffix: Windows Update for Business reports
+description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 08/09/2023
-ms.technology: itpro-updates
 ---
 
 # UCClient
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
 
+## Schema for UCClient
+
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
 | **Country** |  [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
 | **DeviceFamily** |  [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. |
 | **DeviceName** |  [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index de73ebfc5b..a497b36832 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -1,28 +1,33 @@
 ---
-title: Windows Update for Business reports Data Schema - UCClientReadinessStatus
-manager: aaroncz
-description: UCClientReadinessStatus schema
+title: UCClientReadinessStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 06/06/2022
-ms.technology: itpro-updates
 ---
 
 # UCClientReadinessStatus
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 10)***
 
 UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
 
+## Schema for UCClientReadinessStatus
+
 |Field |Type |Example |Description |
 |---|---|---|---|
 | **DeviceName** |  [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
 | **GlobalDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier. |
 | **SCCMClientId** |  [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
 | **OSName** |  [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10` | The operating system name. |
 | **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Win10 OS Version (such as 19H2, 20H1, 20H2) currently installed on the device. |
 | **OSBuild** |  [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision  |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 1c71d9d355..760d757558 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -1,25 +1,30 @@
 ---
-title: Windows Update for Business reports Data Schema - UCClientUpdateStatus
-manager: aaroncz
-description: UCClientUpdateStatus schema
+title: UCClientUpdateStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 06/05/2023
-ms.technology: itpro-updates
 ---
 
 # UCClientUpdateStatus
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
 
 Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
 
+## Schema for UCClientUpdateStatus
+
 | Field | Type | Example | Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Microsoft Entra tenant to which the device belongs. |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Microsoft Entra device ID |
 |**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | 
 | **ClientState** |  [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. |
 | **ClientSubstate** |  [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
@@ -50,4 +55,4 @@ Update Event that combines the latest client-based data with the latest service-
 | **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
 | **UpdateReleaseTime** |  [datetime](/azure/kusto/query/scalar-data-types/datetime)  | `2020-05-14 09:26:03.478039` | The release date of the update |
 | **UpdateSource** |  [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |
- 
\ No newline at end of file
+ 
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index e515e80e13..a449781e51 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -1,21 +1,25 @@
 ---
-title: Windows Update for Business reports Data Schema - UCDeviceAlert
-manager: aaroncz
-description: UCDeviceAlert schema
+title: UCDeviceAlert data schema
+titleSuffix: Windows Update for Business reports
+description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 06/06/2022
-ms.technology: itpro-updates
 ---
 
 # UCDeviceAlert
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
 
+## Schema for UCDeviceAlert
+
 |Field |Type |Example |Description |
 |---|---|---|---|
 | **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
@@ -24,8 +28,8 @@ These alerts are activated as a result of an issue that is device-specific. It i
 | **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
 | **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert. |
 | **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present. |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
+| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
 | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
 | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
 | **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index 25c5d1ae59..d6b10a0364 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -1,26 +1,31 @@
 ---
-title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus
-ms.reviewer: carmenf
-manager: aaroncz
-description: UCDOAggregatedStatus schema
+title: UCDOAggregatedStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+ms.reviewer: carmenf
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 11/17/2022
-ms.technology: itpro-updates
 ---
 
 # UCDOAggregatedStatus
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
 
 UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
 
+## Schema for UCDOAggregatedStatus
+
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
 | **BWOptPercent28Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
 | **BytesFromCache** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
 | **BytesFromCDN** |  [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index 7897c27f1c..c9f8f9a935 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -1,26 +1,29 @@
 ---
-title: Windows Update for Business reports Data Schema - UCDOStatus
-ms.reviewer: carmenf
-manager: aaroncz
-description: UCDOStatus schema
+title: UCDOStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
 ms.prod: windows-client
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+ms.reviewer: carmenf
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 11/17/2022
-ms.technology: itpro-updates
 ---
 
 # UCDOStatus
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
 
+## Data schema for UCDOStatus
+
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
 | **BWOptPercent28Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
 | **BWOptPercent7Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
 | **BytesFromCache** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 8e8e34ea82..004f2def5e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -1,25 +1,29 @@
 ---
-title: Windows Update for Business reports Data Schema - UCServiceUpdateStatus
-manager: aaroncz
-description: UCServiceUpdateStatus schema
+title: UCServiceUpdateStatus data schema
+titleSuffix: Windows Update for Business reports
+description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 06/06/2022
-ms.technology: itpro-updates
 ---
 
 # UCServiceUpdateStatus
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
 
+## Schema for UCServiceUpdateStatus
+
 | Field | Type | Example | Description |
 |---|---|---|---|
 | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Microsoft Entra tenant to which the device belongs. |
 |**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | 
 | **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval |
 | **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
@@ -37,7 +41,7 @@ Update Event that comes directly from the service-side. The event has only servi
 | **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)|  `Azure`| |
 | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
 | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
-| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678`  | Azure AD tenant ID |
+| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678`  | Microsoft Entra tenant ID |
 | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran  can also be the same as EventDateTimeUTC in some cases. |
 | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType |
 | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index db70047ed0..ba81be193a 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -1,21 +1,25 @@
 ---
-title: Windows Update for Business reports Data Schema - UCUpdateAlert
-manager: aaroncz
-description: UCUpdateAlert schema
+title: UCUpdateAlert data schema
+titleSuffix: Windows Update for Business reports
+description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 06/06/2022
-ms.technology: itpro-updates
 ---
 
 # UCUpdateAlert
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 Alert for both client and service updates. Contains information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert won't necessarily contain client-side statuses.
 
+## Schema for UCUpdateAlert
+
 |Field |Type |Example |Description |
 |---|---|---|---|
 | **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
@@ -25,8 +29,8 @@ Alert for both client and service updates. Contains information that needs atten
 | **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
 | **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert |
 | **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
+| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra device ID of the device, if available. |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
 | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
 | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
 | **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
@@ -42,7 +46,7 @@ Alert for both client and service updates. Contains information that needs atten
 | **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
 | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
 | **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
+| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
 | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
 | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
 | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index cbcae6c319..8a4fc45ecb 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -1,22 +1,24 @@
 ---
 title: Windows Update for Business reports data schema
-manager: aaroncz
-description: An overview of Windows Update for Business reports data schema
+titleSuffix: Windows Update for Business reports
+description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
 author: mestew
 ms.author: mstewart
-ms.topic: reference
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 11/15/2022
-ms.technology: itpro-updates
 ---
 
-# Windows Update for Business reports schema 
+# Windows Update for Business reports schema
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Windows Update for Business reports and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
 
-## Schema
+## Schemas for Windows Update for Business reports
 
 The following table summarizes the different tables that are part of the Windows Update for Business reports solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).
 
diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md
index 6b58c8cffb..2b4f1b8b1a 100644
--- a/windows/deployment/update/wufb-reports-use.md
+++ b/windows/deployment/update/wufb-reports-use.md
@@ -1,19 +1,21 @@
 ---
 title: Use the Windows Update for Business reports data
-manager: aaroncz
+titleSuffix: Windows Update for Business reports
 description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 ms.date: 11/15/2022
-ms.technology: itpro-updates
 ---
 
 # Use Windows Update for Business reports
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
 In this article, you'll learn how to use Windows Update for Business reports to monitor Windows updates for your devices. To configure your environment for use with Windows Update for Business reports, see [Enable Windows Update for Business reports](wufb-reports-enable.md).
 
 ## Display Windows Update for Business reports data
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index df61f9ca36..d024ceda0d 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -1,20 +1,21 @@
 ---
 title: Use the workbook for Windows Update for Business reports
-manager: aaroncz
-description: How to use the Windows Update for Business reports workbook.
+titleSuffix: Windows Update for Business reports
+description: How to use the Windows Update for Business reports workbook from the Azure portal.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
 ms.author: mstewart
-ms.topic: article
+manager: aaroncz
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 06/23/2023
-ms.technology: itpro-updates
 ---
 
 # Windows Update for Business reports workbook
 <!-- MAX6325272, OS33771278 -->
-***(Applies to: Windows 11 & Windows 10)***
-
-
 [Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections:
 
 - [Summary](#summary-tab)
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index c6bd179c95..295f638ff4 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -2,22 +2,20 @@
 title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
 description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
 ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
 author: mestew
-ms.localizationpriority: medium
 ms.author: mstewart
 manager: aaroncz
-ms.topic: article
-ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+ms.date: 01/13/2022
 ---
 
 # Use Windows Update for Business and WSUS together
 
-**Applies to**
-
-- Windows 10
-- Windows 11
-
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
@@ -70,13 +68,10 @@ The policy can be configured using the following two methods:
 2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor&lt;Update Type>**:
 
 > [!NOTE]
-> You should configure **all** of these policies if you are using CSPs.
+> - You should configure **all** of these policies if you are using CSPs.
+> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered. 
 
 - [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
 - [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
 - [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother)
 - [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality)
-
-
-> [!NOTE]
-> Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be alterred. 
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
deleted file mode 100644
index c3c3acaa55..0000000000
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ /dev/null
@@ -1,175 +0,0 @@
----
-title: Windows 10 edition upgrade (Windows 10)
-description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
-manager: aaroncz
-ms.author: frankroj
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.topic: conceptual
-ms.collection:
-  - highpri
-  - tier2
-ms.technology: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Windows 10 edition upgrade
-
-**Applies to**
-
--   Windows 10
-
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
-
-
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
-
-> [!NOTE]
-> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
-
-> [!TIP]
-> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Configuration Manager.
-
-![not supported.](../images/x_blk.png) (X) = not supported</br>
-![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
-![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required<br>
-
-<!-- OLD TABLE and key
-X = unsupported <BR>
-&#x2714; (green) = supported; reboot required<BR>
-&#x2714; (blue) = supported; no reboot required
-
-|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile |
-|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a provisioning package |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a command-line tool |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Entering a product key manually |![supported.](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Purchasing a license from the Microsoft Store |![supported.](../images/check_grn.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |
--->
-
-| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
-| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-
-> [!NOTE]
-> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
-> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
-> <br>
-
-## Upgrade using mobile device management (MDM)
-- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
-
-
-## Upgrade using a provisioning package
-Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
-
-- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
-
-For more info about Windows Configuration Designer, see these articles:
-- [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
-
-
-## Upgrade using a command-line tool
-You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
-
-`changepk.exe /ProductKey <enter your new product key here>`
-
-You can also upgrade using slmgr.vbs and a [KMS client setup key](/windows-server/get-started/kmsclientkeys).  For example, the following command will upgrade to Windows 10 Enterprise.
-
-`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
-
-
-## Upgrade by manually entering a product key
-If you're upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
-
-**To manually enter a product key**
-
-1.  From either the Start menu or the Start screen, type 'Activation' and select on the Activation shortcut.
-
-2.  Select **Change product key**.
-
-3.  Enter your product key.
-
-4.  Follow the on-screen instructions.
-
-## Upgrade by purchasing a license from the Microsoft Store
-If you don't have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
-
-**To upgrade through the Microsoft Store**
-
-1.  From either the **Start** menu or the **Start** screen, type 'Activation' and select on the Activation shortcut.
-
-2.  Select **Go to Store**.
-
-3.  Follow the on-screen instructions.
-
-    > [!NOTE]
-    > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
-
-## License expiration
-
-Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
-
-Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key isn't supported.  You also can't downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This article doesn't discuss version downgrades.
-
-> [!NOTE]
-> If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
-
-### Scenario example
-
-Downgrading from Enterprise
-
-- Original edition: **Professional OEM**
-- Upgrade edition: **Enterprise**
-- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
-
-You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
-
-### Supported Windows 10 downgrade paths
-
-✔ = Supported downgrade path
-
-S = Supported; Not considered a downgrade or an upgrade
-
-[blank] = Not supported or not a downgrade
-
-**Destination Edition: (Starting)**
-
-![Supported downgrade path.](../images/check_grn.png) (green checkmark) = Supported downgrade path</br>
-![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) (blue checkmark) = Not considered a downgrade or an upgrade<br>
-![not supported.](../images/x_blk.png) (X) = not supported or not a downgrade</br>
-
-| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** |
-|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
-| **Home** | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Pro** | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Pro Education** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) |
-| **Education** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) |
-| **Enterprise LTSC** | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) |
-| **Enterprise** | ![not supported.](../images/x_blk.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported downgrade path.](../images/check_grn.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) | ![not supported.](../images/x_blk.png) | ![Supported; Not considered a downgrade or an upgrade.](../images/check_blu.png) |
-
-> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
-
-Some slightly more complex scenarios aren't represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
-
-## Related articles
-
-[Windows 10 upgrade paths](./windows-10-upgrade-paths.md)<br>
-[Windows 10 volume license media](../windows-10-media.md)<br>
-[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 9cd2a2aca9..7686e7d15b 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -11,18 +11,26 @@ ms.collection:
   - highpri
   - tier2
 ms.technology: itpro-deploy
-ms.date: 10/28/2022
+ms.date: 10/02/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Windows 10 upgrade paths
 
-**Applies to**
-
--   Windows 10
+> [!IMPORTANT]
+>
+> This article deals with upgrading from Windows versions that are out of support. For a current version of this article, please see [Windows upgrade paths](windows-upgrade-paths.md) that deals with currently supported versions of Windows.
+>
+> For more information, see:
+>
+> - [Windows 8.1 support ended on January 10, 2023](https://support.microsoft.com/windows/windows-8-1-support-ended-on-january-10-2023-3cfd4cde-f611-496a-8057-923fba401e93).
+> - [Windows 7 support ended on January 14, 2020](https://support.microsoft.com/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962).
+> - [FAQ about Windows 7 ESU](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).
 
 ## Upgrade paths
 
-This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. 
+This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. Paths include upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported.
 
 If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
 
@@ -30,9 +38,9 @@ If you're also migrating to a different edition of Windows, see [Windows 10 edit
 
 - **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC isn't supported. Windows 10 LTSC 2015 didn't block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
 
-  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You'll need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
 
-- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown in the following tables. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data is kept but applications and settings are removed during the upgrade process.
 
 - **Windows 8.0**: You can't upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
 
diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md
new file mode 100644
index 0000000000..44c3c79c40
--- /dev/null
+++ b/windows/deployment/upgrade/windows-edition-upgrades.md
@@ -0,0 +1,213 @@
+---
+title: Windows edition upgrade
+description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported.
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: frankroj
+ms.topic: conceptual
+ms.collection:
+  - highpri
+  - tier2
+ms.technology: itpro-deploy
+ms.date: 10/02/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Windows edition upgrade
+
+With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported. For information on what edition of Windows is right for you, see the following articles:
+
+- [Compare Windows 11 Editions](https://www.microsoft.com/windows/business/compare-windows-11).
+- [Explore Windows 11 Pro features](https://www.microsoft.com/windows/business/windows-11-pro).
+- [Windows 10 Pro vs Windows 11 Pro](https://www.microsoft.com/windows/business/windows-10-pro-vs-windows-11-pro).
+- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882).
+- [Windows For Business](https://www.microsoft.com/windows/business).
+
+For a comprehensive list of all possible upgrade paths to Windows, see [Windows upgrade paths](windows-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section in this article.
+
+The following table shows the methods and paths available to change the edition of Windows that is running on your computer.
+
+| Edition upgrade | MDM | Provisioning<br>package | Command-<br>line tool | Manually entering<br>product key |
+|-----| ----- | ----- | ----- | ----- |
+| **Home > Pro** | ❌ | ❌ | ❌ | ☑️ |
+| **Home > Pro for Workstations** | ❌ | ❌ | ❌ | ☑️|
+| **Home > Pro Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Home > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro > Pro for Workstations** | ✅ | ✅ | ✅ | ✅ |
+| **Pro > Pro Education** | ✅ | ✅ | ✅ | ✅ |
+| **Pro > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro > Enterprise** | ✅ | ✅ | ✅ | ✅ |
+| **Pro for Workstations > Pro Education** | ✅ | ✅ | ✅ | ✅ |
+| **Pro for Workstations > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Pro for Workstations > Enterprise** | ✅ | ✅ | ✅ | ✅ |
+| **Pro Education > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+| **Enterprise > Education** | ☑️ | ☑️ | ☑️ | ☑️ |
+
+- ✅ = Supported, no reboot required.
+- ☑️ = Supported, but reboot required.
+- ❌ = Not supported.
+- MDM = Modern device management.
+
+> [!NOTE]
+>
+> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods.
+>
+> - Edition upgrades via Microsoft Store for Business are no longer available with the retirement of the Microsoft Store for Business. For more information, see [Microsoft Store for Business and Education retiring March 31, 2023](/lifecycle/announcements/microsoft-store-for-business-education-retiring) and [Microsoft Store for Business and Microsoft Store for Education overview](/microsoft-store/microsoft-store-for-business-overview).
+
+> [!TIP]
+> Edition upgrade is also possible using edition upgrade policy in Microsoft Configuration Manager. For more information, see [Upgrade Windows devices to a new edition with Configuration Manager](/mem/configmgr/compliance/deploy-use/upgrade-windows-version).
+
+## Upgrade using modern device management (MDM)
+
+To upgrade desktop editions of Windows using MDM, enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
+
+For information on upgrading editions of Windows using Microsoft Intune, including switching out of S mode, see [Upgrade Windows 10/11 editions or switch out of S mode on devices using Microsoft Intune](/mem/intune/configuration/edition-upgrade-configure-windows-10).
+
+## Upgrade using a provisioning package
+
+Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition of Windows. Windows Configuration Designer is available as part of the Windows Assessment and Deployment Kit (Windows ADK) or as a stand-alone Microsoft Store app. Download the Windows Configuration Designer from one of the following locations:
+
+- [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) - When installing the ADK, make sure to select **Configuration Designer**. After installation, Windows Configuration Designer can be found in the Start Menu under **Windows Kits** > **Windows Imaging and Configuration Designer**.
+
+- [Windows Configuration Designer](https://apps.microsoft.com/store/detail/windows-configuration-designer/9NBLGGH4TX22) - Microsoft Store app. After installation, Windows Configuration Designer can be found in the Start menu as **Windows Configuration Designer**.
+  > [!div class="nextstepaction"]
+  > [Download Windows Configuration Designer from the Microsoft Store](ms-windows-store://pdp/?ProductId=9NBLGGH4TX22)
+
+To create a provisioning package for upgrading desktop editions of Windows:
+
+1. Open Windows Configuration Designer.
+
+1. Select **Advanced provisioning**.
+
+1. In the **New project** window that opens:
+
+    1. Under **Enter project details**, give the project a name and then select the **Next** button.
+
+    1. Under **Choose which settings to view and configure**, select **All Windows desktop editions** and then select the **Next** button.
+
+    1. Under **Import a provisioning package (optional)**, select the **Finish** button.
+
+1. Under **Available customizations**, expand **Runtime settings** > **EditionUpgrade** and then select **ChangeProductKey**.
+
+1. In the **EditionUpgrade/ChangeProductKey** pane, next to **ChangeProductKey**, enter the product key for the upgraded edition.
+
+1. Under the **File** menu, select **Save**.
+
+1. Under the **Export** menu, select **Provisioning package**.
+
+1. Step through the **Build** wizard to create the provisioning package, making sure to save the provisioning package to a known location.
+
+For more info about Windows Configuration Designer, see the following articles:
+
+- [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
+
+## Upgrade using a command-line tool
+
+The `changepk.exe` command-line tool can be used to upgrade devices to a supported edition of Windows:
+
+```cmd
+changepk.exe /ProductKey <product_key>`
+```
+
+Upgrades can also be performed using `slmgr.vbs` and a [KMS client setup key](/windows-server/get-started/kmsclientkeys).  For example:
+
+```cmd
+cscript.exe c:\windows\system32\slmgr.vbs /ipk <product_key>
+```
+
+## Upgrade by manually entering a product key
+
+If only a few devices are being upgraded devices, a product key for the upgraded edition can be entered manually. To manually enter a product key:
+
+1. Right click on the **Start** menu and select **Run**.
+
+1. In the **Run** window, next to **Open**, enter
+
+   `ms-settings:activation`
+  
+   and then select **OK**.
+
+1. Select **Change product key**.
+
+1. Enter your product key.
+
+1. Follow the on-screen instructions.
+
+Alternatively, select the following link to automatically open the **Settings** app to the activation page:
+
+> [!div class="nextstepaction"]
+> [Activation](ms-settings:activation)
+
+## Upgrade by purchasing a license from the Microsoft Store
+
+If you don't have a product key, you can upgrade your edition of Windows through the Microsoft Store. To upgrade through the Microsoft Store:
+
+1. Right click on the **Start** menu and select **Run**.
+
+1. In the **Run** window, next to **Open**, enter
+
+   `ms-windows-store://windowsupgrade/`
+  
+   and then select **OK**.
+
+1. Follow the on-screen instructions.
+
+Alternatively, select the following link to automatically open the Microsoft Store to the page for upgrading the edition of Windows:
+
+> [!div class="nextstepaction"]
+> [Upgrade Windows Edition](ms-windows-store://windowsupgrade/)
+
+## License expiration
+
+Volume license customers whose license has expired need to change the edition of Windows to an edition with an active license. Downgrading the edition of Windows is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
+
+The following scenarios aren't supported:
+
+- Downgrading Windows to a pervious version by entering a different product key, for example from Windows 11 Pro to Windows 10 Pro.
+
+- Downgrading from a later version to an earlier version of the same edition of Windows, for example from Windows 11 Pro 22H2 to Windows 11 Pro 22H1, unless using rollback.
+
+> [!NOTE]
+>
+> If you're using [Windows subscription activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices automatically revert to the original edition when the grace period expires.
+
+## Supported Windows downgrade paths
+
+| Edition | Home | Pro | Pro for<br> Workstations | Pro<br>Education | Education | Enterprise<br>LTSC | Enterprise |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
+| **Home** | - | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
+| **Pro** | ❌ | - | ❌ | ❌ | ❌ | ❌ | ❌ |
+| **Pro for Workstations** | ❌ | ❌ | - | ❌ | ❌ | ❌ | ❌ |
+| **Pro Education** | ❌ | ❌ | ❌ | - | ❌ | ❌ | ❌ |
+| **Education** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
+| **Enterprise LTSC** | ❌ | ❌ | ❌ | ❌ | ❌ | - | ❌ |
+| **Enterprise** | ❌ | ✅ | ✅ | ✅ | - | ❌ | - |
+
+- ✅ = Supported downgrade path.
+- ❌ = not supported or not a downgrade.
+- \- = Not considered a downgrade or an upgrade.
+
+> [!NOTE]
+>
+> Windows **N** and Windows **KN** SKUs follow the same rules shown in the table.
+
+The table may not represent more complex scenarios. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key. You can then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
+
+### Scenario example: Downgrading from Enterprise
+
+- Original edition: **Professional OEM**
+- Upgrade edition: **Enterprise**
+- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
+
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
+
+## Related articles
+
+- [Windows upgrade paths](./windows-upgrade-paths.md)
+- [Volume Licensing Service Center](/licensing/)
+- [Windows Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 81fcb592e6..4a534442ee 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -37,7 +37,7 @@ You can use USMT to automate migration during large deployments of the Windows o
 
 > [!IMPORTANT]
 >
-> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Azure AD joined devices. 
+> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Microsoft Entra joined devices. 
 
 ## Upgrade and migration considerations
 Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md
new file mode 100644
index 0000000000..c8ea3f2dda
--- /dev/null
+++ b/windows/deployment/upgrade/windows-upgrade-paths.md
@@ -0,0 +1,71 @@
+---
+title: Windows upgrade paths 
+description: Upgrade to current versions of Windows from a previous version of Windows
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: frankroj
+manager: aaroncz
+ms.author: frankroj
+ms.topic: conceptual
+ms.collection:
+  - highpri
+  - tier2
+ms.technology: itpro-deploy
+ms.date: 10/02/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Windows upgrade paths
+
+## Upgrade paths
+
+This article provides a summary of available upgrade paths to currently supported versions of Windows. You can upgrade to currently supported versions of Windows from previous versions of Windows that are also still supported. Paths include upgrading from one release of Windows to a later release of the same version of Windows. Migrating from one edition of Windows to a different edition of the same release is also supported.
+
+> [!NOTE]
+>
+> If you're also migrating to a different edition of Windows, see [Windows edition upgrade](windows-edition-upgrades.md). The [Windows edition upgrade](windows-edition-upgrades.md) article describes methods and supported paths to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't always maintained when the Windows edition is downgraded.
+
+- **Windows version upgrade**: You can directly upgrade any General Availability Channel version of Windows to a newer, supported General Availability Channel version of Windows, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
+
+- **Upgrade from Windows LTSC to Windows General Availability Channel**: Upgrade from Windows LTSC to Windows General Availability Channel is available when upgrading to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise 22H2. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if apps need to be kept. If the switch isn't used, the option **Keep personal files and apps** option is grayed out. The command line to perform the upgrade is:
+  
+  ```cmd
+  setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
+  ```
+
+  where **xxxxx-xxxxx-xxxxx-xxxxx-xxxxx** is the Windows General Availability Channel product key. For example, if using a KMS, the command line for Windows Enterprise would be:
+  
+  ```cmd
+  setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43
+  ```
+
+  For additional product keys for use with KMS, see [Key Management Services (KMS) client activation and product keys:Generic Volume License Keys (GVLK)](/windows-server/get-started/kms-client-activation-keys#generic-volume-license-keys-gvlk).
+
+  > [!IMPORTANT]
+  > In-place upgrade from Windows General Availability Channel to Windows LTSC isn't supported.
+  >
+  >
+  > Windows 10 LTSC 2015 didn't block this in-place upgrade path even though it isn't supported. This issue was corrected in the Windows 10 LTSC 2016 release. Windows 10 LTSC 2016 only allows data-only and clean install options.
+
+- **Windows N/KN**: **Windows N** and **Windows KN** SKUs (editions without media-related functionality) follow the same upgrade paths shown in the following tables. If the pre-upgrade and post-upgrade editions aren't the same type, for example, Windows 10 Pro N to Windows 11 Pro, personal data is kept but applications and settings are removed during the upgrade process.
+
+## Supported Windows upgrade paths
+
+| Windows Edition | **Windows Home** | **Windows Pro** | **Windows Pro Education** | **Windows Education** | **Windows Enterprise** |
+|---|---|---|---|---|---|
+| **Windows Home**  | ❌ | ✅  | ✅  | ✅  | ❌ |
+| **Windows Pro**   | ⬇️ | ❌ | ✅   | ✅  | ✅  |
+| **Windows Education**  | ❌ | ❌ | ❌ | ❌ | ⬇️  |
+| **Windows Enterprise**  | ❌ | ❌ | ❌ | ✅ | ❌ |
+
+- ✅ = Full upgrade is supported including personal data, settings, and applications.
+- ❌ = Upgrade isn't supported or not applicable.
+- ⬇️ = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+## Related articles
+
+- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows edition upgrade](windows-edition-upgrades.md)
\ No newline at end of file
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index d36ddbbc92..98f95d0597 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -69,7 +69,7 @@ As the authorized administrator, it is your responsibility to protect the privac
 
 - **Maintain security of the file server and the deployment server**
 
-    We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657).
+    We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://www.microsoft.com/download/details.aspx?id=53353).
 
 - **Password Migration**
 
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index 2b5db81c9d..d7c0f5e4fd 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -5,14 +5,14 @@ manager: aaroncz
 ms.author: frankroj
 ms.prod: windows-client
 author: frankroj
-ms.date: 11/01/2022
+ms.date: 09/18/2023
 ms.topic: article
 ms.technology: itpro-deploy
 ---
 
 # Exclude files and settings
 
-When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
+When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition, you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
 
 Methods to customize the migration and include and exclude files and settings include:
 
@@ -33,7 +33,8 @@ We recommend that you create a custom .xml file instead of modifying the default
 The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **&lt;component&gt;** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **&lt;include&gt;** and **&lt;exclude&gt;** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
 
 > [!NOTE]
-> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you do not specify an **&lt;include&gt;** rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
+>
+> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you don't specify an **&lt;include&gt;** rule, the specific files or settings aren't included. They're already excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
 
 - [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
 
@@ -82,16 +83,16 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t
         <displayName _locID="miguser.sharedvideo">Test component</displayName>
         <role role="Data">
             <rules>
-         <include>
-            <objectSet>
-                 <pattern type="File">C:\Data\* [*]</pattern>
-            </objectSet>
-          </include>
-         <exclude>
-             <objectSet>
-                   <pattern type="File"> C:\Data\temp\* [*]</pattern>
-             </objectSet>
-         </exclude>  
+                <include>
+                    <objectSet>
+                        <pattern type="File">C:\Data\* [*]</pattern>
+                    </objectSet>
+                </include>
+                <exclude>
+                    <objectSet>
+                        <pattern type="File"> C:\Data\temp\* [*]</pattern>
+                    </objectSet>
+                </exclude>
             </rules>
         </role>
     </component>
@@ -104,23 +105,23 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but
 
 ```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
-<component type="Documents" context="System">
-  <displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
-  <role role="Data">
-    <rules>
-         <include>
-            <objectSet>
-                 <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
-            </objectSet>
-          </include>
-      <exclude>
-        <objectSet>
-          <pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
-        </objectSet>
-      </exclude>
-    </rules>
-  </role>
-</component>
+    <component type="Documents" context="System">
+        <displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
+        <role role="Data">
+            <rules>
+                <include>
+                    <objectSet>
+                        <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
+                    </objectSet>
+                </include>
+                <exclude>
+                    <objectSet>
+                        <pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
+                    </objectSet>
+                </exclude>
+            </rules>
+        </role>
+    </component>
 </migration>
 ```
 
@@ -130,35 +131,35 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
 
 ```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
-<component type="Documents" context="System">
-  <displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
-  <role role="Data">
-    <rules>
-         <include>
-            <objectSet>
-                 <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
-            </objectSet>
-          </include>
-      <exclude>
-        <objectSet>
-          <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
-        </objectSet>
-      </exclude>
-    </rules>
-  </role>
-</component>
+    <component type="Documents" context="System">
+        <displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
+        <role role="Data">
+            <rules>
+                <include>
+                    <objectSet>
+                        <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
+                    </objectSet>
+                </include>
+                <exclude>
+                    <objectSet>
+                        <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
+                    </objectSet>
+                </exclude>
+            </rules>
+        </role>
+    </component>
 </migration>
 ```
 
 ### Example 5: How to exclude a file from any location
 
-To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
+To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files are excluded.
 
 ```xml
 <pattern type="File"> C:\* [Sample.doc] </pattern>
 ```
 
-To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files will be excluded.
+To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files are excluded.
 
 ```xml
 <script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
@@ -174,15 +175,15 @@ The following .xml file excludes all `.mp3` files from the migration:
 
 ```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
-  <component context="System" type="Documents">
+    <component context="System" type="Documents">
         <displayName>Test</displayName>
         <role role="Data">
             <rules>
-             <unconditionalExclude>
-                        <objectSet>
-    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
-                        </objectSet> 
-             </unconditionalExclude>
+                <unconditionalExclude>
+                    <objectSet>
+                        <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+                    </objectSet>
+                </unconditionalExclude>
             </rules>
         </role>
     </component>
@@ -199,11 +200,11 @@ The following .xml file excludes only the files located on the C: drive.
         <displayName>Test</displayName>
         <role role="Data">
             <rules>
-  <unconditionalExclude>
+                <unconditionalExclude>
                     <objectSet>
-      <pattern type="File">c:\*[*]</pattern>
+                        <pattern type="File">c:\*[*]</pattern>
                     </objectSet>
-  </unconditionalExclude>
+                </unconditionalExclude>
             </rules>
         </role>
     </component>
@@ -217,53 +218,53 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
-   <component type="Documents" context="User">
-      <displayName>Test</displayName>
-      <role role="Data">
-         <rules>
-            <include>
-               <objectSet>
-                  <pattern type="Registry">HKCU\testReg[*]</pattern>
-               </objectSet>
-            </include>
-            <unconditionalExclude>
-               <objectSet>
-                  <pattern type="Registry">HKCU\*[*]</pattern>
-               </objectSet>
-            </unconditionalExclude>
-         </rules>
-      </role>
-   </component>
+    <component type="Documents" context="User">
+        <displayName>Test</displayName>
+        <role role="Data">
+            <rules>
+                <include>
+                    <objectSet>
+                        <pattern type="Registry">HKCU\testReg[*]</pattern>
+                    </objectSet>
+                </include>
+                <unconditionalExclude>
+                    <objectSet>
+                        <pattern type="Registry">HKCU\*[*]</pattern>
+                    </objectSet>
+                </unconditionalExclude>
+            </rules>
+        </role>
+    </component>
 </migration>
 ```
 
 ##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files`
 
-The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
+The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. All `*.docx`, `*.xls` and `*.ppt` files aren't migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
-   <component type="Documents" context="System">
-      <displayName>Test</displayName>
-      <role role="Data">
-         <rules>
-            <include>
-               <objectSet>
-    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
-    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
-    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
-               </objectSet>
-            </include>
-            <unconditionalExclude>
-               <objectSet>
-                  <pattern type="File">C:\Program Files\* [*]</pattern>
-<pattern type="File">C:\Windows\* [*]</pattern>
-               </objectSet>
-            </unconditionalExclude>
-         </rules>
-      </role>
-   </component>
+    <component type="Documents" context="System">
+        <displayName>Test</displayName>
+        <role role="Data">
+            <rules>
+                <include>
+                    <objectSet>
+                        <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
+                        <script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
+                        <script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
+                    </objectSet>
+                </include>
+                <unconditionalExclude>
+                    <objectSet>
+                        <pattern type="File">C:\Program Files\* [*]</pattern>
+                        <pattern type="File">C:\Windows\* [*]</pattern>
+                    </objectSet>
+                </unconditionalExclude>
+            </rules>
+        </role>
+    </component>
 </migration>
 ```
 
@@ -275,12 +276,13 @@ You can create and modify a `Config.xml` file if you want to exclude components
 
 - **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **&lt;WindowsComponents&gt;** section.
 
-- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Note that any **&lt;include&gt;** rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files won't.
+- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Any **&lt;include&gt;** rules in the .xml files are still applied. For example, if you have a rule that includes all the .docx files in My Documents, then .docx files are still migrated. However, any additional files that aren't .docx aren't migrated.
 
 For more information, see [Config.xml File](usmt-configxml-file.md).
 
 > [!NOTE]
-> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
+>
+> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file doesn't exclude the component from your migration.
 
 ## Related articles
 
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index b8a8f9f4dc..e32b8c614c 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -248,9 +248,11 @@ You should also note the following items:
 
 Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
 
-### User profiles from Active Directory to Azure Active Directory
+<a name='user-profiles-from-active-directory-to-azure-active-directory'></a>
 
-USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory.
+### User profiles from Active Directory to Microsoft Entra ID
+
+USMT doesn't support migrating user profiles from Active Directory to Microsoft Entra ID.
 
 ## Related articles
 
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index bfd4b4c563..df89fc602d 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -24,13 +24,13 @@ This document describes how to configure virtual machines (VMs) to enable [Windo
 Deployment instructions are provided for the following scenarios:
 
 1. [Active Directory-joined VMs](#active-directory-joined-vms)
-2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms)
+2. [Microsoft Entra joined VMs](#azure-active-directory-joined-vms)
 3. [Azure Gallery VMs](#azure-gallery-vms)
 
 ## Requirements
 
 - VMs must be running a supported version of Windows Pro edition.
-- VMs must be joined to Active Directory or Azure Active Directory (Azure AD).
+- VMs must be joined to Active Directory or Microsoft Entra ID.
 - VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
 
 ## Activation
@@ -40,13 +40,13 @@ Deployment instructions are provided for the following scenarios:
 - The VM is running a supported version of Windows.
 - The VM is hosted in Azure, an authorized outsourcer, or another Qualified Multitenant Hoster (QMTH).
 
-    When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
+    When a user with VDA rights signs in to the VM using their Microsoft Entra credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
 
 ### Scenario 2
 
 - The Hyper-V host and the VM are both running a supported version of Windows.
 
-    [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure AD account.
+    [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using a Microsoft Entra account.
 
 ### Scenario 3
 
@@ -91,7 +91,7 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
     6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
 
         > [!NOTE]
-        > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+        > This step is different for [Microsoft Entra joined VMs](#azure-active-directory-joined-vms).
 
     7. On the Add applications page, add applications if desired. This step is optional.
 
@@ -111,16 +111,18 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
 
 8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
 
-## Azure Active Directory-joined VMs
+<a name='azure-active-directory-joined-vms'></a>
+
+## Microsoft Entra joined VMs
 
 > [!IMPORTANT]
-> Azure AD provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Azure AD-joined and deployed won't need to be recreated.
+> Microsoft Entra provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Microsoft Entra joined and deployed won't need to be recreated.
 
-For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+For Microsoft Entra joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
 
 - During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
 
-- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
+- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Microsoft Entra ID**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
 
 - When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
 
@@ -154,7 +156,7 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
 
 9. On the Set up network page, choose **Off**.
 
-10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+10. On the Account Management page, choose **Enroll in Microsoft Entra ID**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
 
 11. On the Add applications page, add applications if desired. This step is optional.
 
@@ -186,7 +188,7 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
 
     The values `enablecredsspsupport` and `authentication level` should each appear only once in the file.
 
-6. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+6. Save your changes, and then use this custom RDP file with your Microsoft Entra credentials to connect to the Azure VM.
 
 ## Related articles
 
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 3401c97658..b1056c9728 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -8,155 +8,191 @@ author: frankroj
 manager: aaroncz
 ms.author: frankroj
 ms.localizationpriority: medium
-ms.date: 11/07/2022
+ms.date: 10/16/2023
 ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Activate using Key Management Service
 
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
 > [!TIP]
-> Are you looking for information on retail activation?
+>
+> For information on retail activation, see the following articles:
 >
 > - [Activate Windows](https://support.microsoft.com/help/12440/)
 > - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
-There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
+Volume activation can be performed via Key Management Service (KMS). KMS can be hosted either on a client version of Windows or on Windows Server.
 
-- Host KMS on a computer running Windows 10
-- Host KMS on a computer running Windows Server 2012 R2
-- Host KMS on a computer running an earlier version of Windows
+## Key Management Service in a client version of Windows
 
-Check out [Windows 10 Volume Activation Tips](/archive/blogs/askcore/windows-10-volume-activation-tips).
+Installing a KMS host key on a computer running a client version of Windows allows the following scenarios against this KMS host:
 
-## Key Management Service in Windows 10
+- Activation of other computers running the same client version of Windows.
+- Activation of other computers running earlier client versions of Windows.
 
-Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
+Clients locate the KMS server by using resource records in DNS, so some configuration of DNS is required. This scenario can be beneficial if the organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
 
-Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
-To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
+To enable KMS functionality, a KMS key is installed on a KMS host. The host is then activated over the Internet or by phone using Microsoft activation services.
 
-### Configure KMS in Windows 10
+### Configure KMS in a client version of Windows
 
-To activate, use the `slmgr.vbs` command. Open an elevated command prompt and run one of the following commands:
+KMS can be activated on client versions of Windows by using the `slmgr.vbs`. To activate KMS on a client version of Windows, follow these steps:
 
-- To install the KMS key, run the command `slmgr.vbs /ipk <KmsKey>`.
+1. Open an elevated Command Prompt window.
 
-- To activate online, run the command `slmgr.vbs /ato`.
+1. In the elevated Command Prompt window, run the following command to install the KMS key:
 
-- To activate by telephone, follow these steps:
+   ```cmd
+   cscript.exe slmgr.vbs /ipk <KMS_Key>
+   ```
 
-  1. Run `slmgr.vbs /dti` and confirm the installation ID.
+1. Once the KMS key has been installed, it needs to be activated using one of the following methods:
 
-  2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+   - To activate online, in the elevated Command Prompt window, run the following command:
 
-  3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+    ```cmd
+    cscript.exe slmgr.vbs /ato
+    ```
 
-  4. Run `slmgr.vbs /atp \<confirmation ID\>`.
+   - To activate by telephone, follow these steps:
 
-For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
+      1. In the elevated Command Prompt window, run the following command:
 
-## Key Management Service in Windows Server 2012 R2
+         ```cmd
+         cscript.exe slmgr.vbs /dti
+         ```
 
-Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
+         This command should display the installation ID.
 
-> [!NOTE]
-> You cannot install a client KMS key into the KMS in Windows Server.
+      1. Call the [Microsoft Volume License Key assisted support telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers). Follow the voice prompts and when prompted, enter the installation ID obtained in the previous step.
 
-This scenario is commonly used in larger organizations that don't find the overhead of using a server a burden.
+      1. Continue following the voice prompts. When prompted, write down the 48-digit confirmation ID for OS activation given by the prompts.
 
-> [!NOTE]
-> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [Error 0xC004F015 when you activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
+      1. In the elevated Command Prompt window, run the following command:
 
-### Configure KMS in Windows Server 2012 R2
+         ```cmd
+         cscript.exe slmgr.vbs /atp <confirmation_ID_from_previous_step>
+         ```
 
-1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
+## Key Management Service in Windows Server
 
-2. Launch Server Manager.
+Installing a KMS host key on a computer running Windows Server allows you to activate computers running the same or earlier versions of Windows Server. Additionally, it also allows activation of client versions of Windows.
 
-3. Add the Volume Activation Services role, as shown in Figure 4.
+> [!IMPORTANT]
+>
+> You can't install a client KMS key into the KMS in Windows Server.
 
-   ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg)
+### Configure KMS in Windows Server
 
-   **Figure 4**. Adding the Volume Activation Services role in Server Manager
+1. Sign in to a Windows Server server with an account that has local administrative credentials.
 
-4. When the role installation is complete, select the link to launch the Volume Activation Tools (Figure 5).
+1. Open **Server Manager**.
 
-   ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg)
+1. Under the **Manage** menu in **Server Manager**, select **Add Roles and Features**. The **Add Roles and Features Wizard** window opens.
 
-   **Figure 5**. Launching the Volume Activation Tools
+1. In the **Add Roles and Features Wizard**:
 
-5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This computer can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
+   1. In the **Before you begin** page, select the **Next >** button.
 
-   ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg)
+   1. In the **Select installation type**/**Installation Type** page, select **Role-based or feature-based installation**, and then select the **Next >** button.
 
-   **Figure 6**. Configuring the computer as a KMS host
+   1. In the **Select destination server**/**Server Selection** page, make sure **Select a server from the server pool** is selected. Under **Server Pool**, select the server on which to install KMS, and then select the **Next >** button.
 
-6. Install your KMS host key by typing it in the text box, and then select **Commit** (Figure 7).
+   1. In the **Select server roles**/**Server Roles** page, under **Roles**, select **Volume Activation Services**, and then select the **Next >** button.
 
-   ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg)
+   1. In the **Add features that are required for Volume Activation Services?** window that appears, select the **Add Features** button, and then select the **Next >** button.
 
-   **Figure 7**. Installing your KMS host key
+   1. In the **Select features**/**Features** page, select the **Next >** button.
 
-7. If asked to confirm replacement of an existing key, select **Yes**.
-8. After the product key is installed, you must activate it. Select **Next** (Figure 8).
+   1. In the **Volume Activation Services** page, select the **Next >** button.
 
-   ![Activating the software.](../images/volumeactivationforwindows81-08.jpg)
+   1. In the **Confirm installation selections**/**Confirmation** page, select the **Install** button.
 
-   **Figure 8**. Activating the software
+   1. Installation can take a few minutes to complete. Once the role installation completes, select the **Close** button.
 
-   The KMS key can be activated online or by phone. See Figure 9.
+1. Go to the **Start Menu** > **Windows Administrative Tools** and select **Volume Activation Tools**. The **Volume Activation Tools** window appears.
 
-   ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg)
+1. In the **Volume Activation Tools** window:
 
-   **Figure 9**. Choosing to activate online
+   1. In the **Introduction to Volume Activation Tools**/**Introduction** page, select the **Next >** button.
 
-Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met.
+   1. In the **Select Volume Activation Method**/**Activation Type** page, select the **Key Management Service (KMS)** option, and specify the computer that acts as the KMS host. This computer can be the server on which the KMS role was installed, or another server/client computer. After the server/computer has been specified, select the **Next >** button.
+
+   1. In the **Manage KMS Host**/**Product Key Management** page, enter in the KMS host key in the text box under **Install your KMS host key**, and then select the **Commit** button.
+
+   1. If asked to confirm replacement of an existing key, select **Yes**.
+
+   1. After the product key is installed, in the **Product Key Installation Succeeded**/**Product Key Management** page, make sure **Activate Product** is selected, and then select **Next >** button to begin the activation process.
+
+   1. In the **Activate Product**/**Product Key Management** page, make sure the current product is shown under the **Select product** menu, and then select the desired activation method. The available methods are:
+
+      - **Active online** - If selecting this option, select the **Commit** button to finish activating the product online.
+
+      - **Active by phone** - If selecting this option:
+
+         1. Select the desired location from the **Select your location** drop-down menu, and then select the **Next >** button.
+
+         1. In the **Activate by Phone**/**Product Key Management** page, follow the instructions to activate the product by phone.
+
+         1. Once finished, select the **Commit** button.
+
+   1. In the **Activation Succeeded**/**Product Key Management** page, review the configuration options:
+
+      - If the configuration options are as expected, select the **Close** button.
+
+      - If configuration changes are desired:
+
+         1. Select the **Next >** button.
+
+         1. In the **Configure Key Management Service Options/Product Key Management** page, make the desired configuration changes, and then select the **Commit** button.
+
+         1. In the **Configuration Succeeded**/**Configuration** page, select the **Close** button.
+
+Once the KMS host is configured, it begins to listen for activation requests. However, it doesn't activate clients successfully until the activation threshold is met.
 
 ## Verifying the configuration of Key Management Service
 
-KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
+KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests are processed. The verification process described here increments the activation count each time a client computer contacts the KMS host. If the activation threshold hasn't been reached, the verification generates an error message instead of a confirmation message.
 
 > [!NOTE]
-> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
+>
+> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that doesn't first try to activate itself by using Active Directory-based activation. For example, a client computer that is a workgroup computer that isn't joined to a domain.
 
 To verify that KMS volume activation works, complete the following steps:
 
 1. On the KMS host, open the event log and confirm that DNS publishing is successful.
 
-2. On a client computer, open a Command Prompt window and run the command `Slmgr.vbs /ato`.
+2. On a client computer, open an elevated Command Prompt window and run the command:
+
+   ```cmd
+   cscript.exe slmgr.vbs /ato
+   ```
 
    The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
 
-3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command `Slmgr.vbs /dlv`.
+3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command
+
+   ```cmd
+   cscript.exe slmgr.vbs /dlv
+   ```
 
    The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated.
 
-For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
+For more information about the use and syntax of the script `slmgr.vbs`, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
 
-## Key Management Service in earlier versions of Windows
-
-If you've already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
-
-1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
-2. Request a new KMS host key from the Volume Licensing Service Center.
-3. Install the new KMS host key on your KMS host.
-4. Activate the new KMS host key by running the slmgr.vbs script.
-
-For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
+> [!IMPORTANT]
+>
+> Clients require RPC over TCP/IP connectivity to the KMS host to successfully activate. For more information, see [Key Management Services (KMS) activation planning: Network requirements](/windows-server/get-started/kms-activation-planning#network-requirements) and [Remote Procedure Call (RPC) errors troubleshooting guidance](/troubleshoot/windows-client/networking/rpc-errors-troubleshooting).
 
 ## Related articles
 
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+- [Key Management Services (KMS) activation planning](/windows-server/get-started/kms-activation-planning).
diff --git a/windows/deployment/volume-activation/images/sql-instance.png b/windows/deployment/volume-activation/images/sql-instance.png
deleted file mode 100644
index 379935e01c..0000000000
Binary files a/windows/deployment/volume-activation/images/sql-instance.png and /dev/null differ
diff --git a/windows/deployment/volume-activation/images/vamt-db.png b/windows/deployment/volume-activation/images/vamt-db.png
deleted file mode 100644
index 6c353fe835..0000000000
Binary files a/windows/deployment/volume-activation/images/vamt-db.png and /dev/null differ
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index c204b95d16..455f978c0a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,85 +1,116 @@
 ---
-title: Install VAMT (Windows 10)
-description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+title: Install VAMT
+description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows.
 ms.reviewer: nganguly
 manager: aaroncz
 ms.author: frankroj
 ms.prod: windows-client
 author: frankroj
 ms.localizationpriority: medium
-ms.date: 11/07/2022
+ms.date: 10/13/2023
 ms.topic: article
 ms.technology: itpro-fundamentals
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Install VAMT
 
-This article describes how to install the Volume Activation Management Tool (VAMT).
-
-## Installing VAMT
-
-You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+This article describes how to install the Volume Activation Management Tool (VAMT). VAMT is installed as part of the Windows Assessment and Deployment Kit (ADK) for Windows.
 
 >[!IMPORTANT]
->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
+>
+> VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you don't have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
 
 >[!NOTE]
->The VAMT Microsoft Management Console snap-in ships as an x86 package.
+>
+> The VAMT Microsoft Management Console snap-in ships as an x86 package.
 
-### Requirements
+## Requirements
 
-- [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
+- [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied.
 
-- Latest version of the [Windows 10 ADK](/windows-hardware/get-started/adk-install)
+- Latest version of the [Windows ADK](/windows-hardware/get-started/adk-install).
 
-- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
+- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-downloads) version. The latest is recommended.
 
-- Alternatively, any supported **full** SQL instance
+- Alternatively, any supported **full** SQL instance.
 
-### Install SQL Server Express / alternatively use any full SQL instance
+## Install SQL Server Express / alternatively use any full SQL instance
 
-1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+1. Download and open the [SQL Server Express](https://aka.ms/sqlexpress) package.
 
-2. Select **Basic**.
+1. For **Select an installation type:**, select **Basic**.
 
-3. Accept the license terms.
+1. In the **Microsoft SQL Server Server License Terms** screen, accept the license terms by selecting the **Accept** button.
 
-4. Enter an install location or use the default path, and then select **Install**.
+1. In the **Specify SQL Server install location** screen under **INSTALL LOCATION \*:**, specify an install location or use the default path, and then select the **Install** button.
 
-5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
+1. Once the installation is complete, in the **Installation Has completed successfully!** page, under **INSTANCE NAME**, note the instance name for the installation. The instance name will be used later in the [Configure VAMT to connect to SQL Server Express or full SQL Server](#configure-vamt-to-connect-to-sql-server-express-or-full-sql-server) section.
 
-    ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png)
+1. Once the instance name has been noted, select the **Close** button, and then select the **Yes** button to confirm exiting the installer.
 
-### Install VAMT using the ADK
+## Install VAMT using the ADK
 
-1. Download the latest version of [Windows 10 ADK](/windows-hardware/get-started/adk-install).
+1. Download the latest version of [Windows ADK](/windows-hardware/get-started/adk-install).
 
-   If an older version is already installed, it's recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
+   If an older version is already installed, it's recommended to first uninstall the older ADK before installing the latest version. Existing VAMT data is maintained in the VAMT database.
 
-2. Enter an install location or use the default path, and then select **Next**.
+1. Open the ADK installer that was downloaded in the previous step. The **Windows Assessment and Deployment Kit** window opens.
 
-3. Select a privacy setting, and then select **Next**.
+1. In the **Windows Assessment and Deployment Kit** window:
 
-4. Accept the license terms.
+   1. At the **Specify Location** page, under **Install Path:**, enter an install location or use the default path. It's recommended to install at the default path. Once done, select the **Next** button.
 
-5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. If desired, you can select additional features to install as well.
+   1. In the **Windows Kits Privacy** page, select a privacy setting, and then select the **Next** button.
 
-6. On the completion page, select **Close**.
+   1. In the **License Agreement** page, accept the license terms by selecting the **Accept** button.
 
-### Configure VAMT to connect to SQL Server Express or full SQL Server
+   1. In the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**. If desired, select any additional features to install. Once done, select the **Install** button.
 
-1. Open **Volume Active Management Tool 3.1** from the Start menu.
+   1. Once installation is complete, the **Welcome to the Windows Assessment and Deployment Kit!** page is displayed. Select the **Close** button.
 
-2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
+## Configure VAMT to connect to SQL Server Express or full SQL Server
 
-   ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png)
+1. In the Start Menu under **Windows Kits**, select **Volume Active Management Tool 3.1**. The **Database Connection Settings** window opens.
 
-   For remote SQL Server, use `servername.yourdomain.com`.
+1. In the **Database Connection Settings** window:
+
+   1. Next to **Server:**, enter the server instance name as determined in the [Install SQL Server Express / alternatively use any full SQL instance](#install-sql-server-express--alternatively-use-any-full-sql-instance) section. If SQL is remote, make sure to use the FQDN.
+
+   1. Next to **Database:**, add a name for the database.
+
+   1. Once the database server and database names have been entered, select the **Connect** button.
+
+   1. Select the **Yes** button to create the database.
 
 ## Uninstall VAMT
 
-To uninstall VAMT using the **Programs and Features** Control Panel:
+To uninstall VAMT:
 
-1. Open **Control Panel** and select **Programs and Features**.
+1. Right-click on the Start Menu and select **Settings**.
 
-2. Select **Assessment and Deployment Kit** from the list of installed programs and select **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
+1. Select **Apps** in the left hand pane.
+
+1. In the right hand pane under **Apps**, select **Installed apps**.
+
+   Alternatively, select the following link to automatically open the **Settings** app to the **Installed apps** page:
+
+   > [!div class="nextstepaction"]
+   > [Installed apps](ms-settings:appsfeatures)
+
+1. Scroll through the list of installed apps and find **Windows Assessment and Deployment Kit**.
+
+1. Select the three dots **...** next to **Windows Assessment and Deployment Kit** and then select **Modify**. The **Windows Assessment and Deployment Kit** window opens.
+
+1. In the **Windows Assessment and Deployment Kit** window:
+
+   1. In the **Maintain your Windows Assessment and Deployment Kit features** page, select **Change**, and then select the **Next** button.
+
+   1. In the **Select the features you want to change** page, uncheck **Volume Activation Management Tool (VAMT)**, and then select the **Change** button.
+
+   1. Once the uninstall is complete, the **Change is complete.** page is displayed. Select the **Close** button.
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 18e44ca25b..c216cfa830 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -44,7 +44,7 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
-|[Azure Active Directory / MDM](#dynamic-provisioning)|The device is automatically joined to Azure Active Directory and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
+|[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
 |[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
 
 ### Traditional
@@ -110,9 +110,11 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on,
 
 Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
 
-### Azure Active Directory (Azure AD) join with automatic mobile device management (MDM) enrollment
+<a name='azure-active-directory-azure-ad-join-with-automatic-mobile-device-management-mdm-enrollment'></a>
 
-In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+### Microsoft Entra join with automatic mobile device management (MDM) enrollment
+
+In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 ### Provisioning package configuration
 
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 241c5344cc..93cf409b93 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -23,9 +23,9 @@ Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel o
 Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
 
 - Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
-- Azure Active Directory (Azure AD) available for identity management
+- Microsoft Entra available for identity management
 
-You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
+You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Microsoft Entra credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
 
 Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
 
@@ -183,6 +183,6 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition fe
 ## Related articles
 
 [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)<br>
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
+[Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
 [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<br>
 [Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)<br>
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
deleted file mode 100644
index c57dd5bce0..0000000000
--- a/windows/deployment/windows-10-media.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Windows 10 volume license media
-description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.topic: article
-ms.technology: itpro-deploy
----
-
-# Windows 10 volume license media
-
-*Applies to:*
-
-- Windows 10
-
-With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
-
-## Windows 10 media
-
-To download Windows 10 installation media from the VLSC, use the product search filter to find "Windows 10."  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
-
-When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Education", you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
-
-> [!NOTE]
-> If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
-
-Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
-
-### Language packs
-
-- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
-
-### Features on demand
-
-[Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
-
-Features on demand is a method for adding features to your Windows 10 image that aren't included in the base operating system image.
-
-## Related articles
-
-[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
-<br>[Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
-<br>[Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
-<br>[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
-<br>[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 59914650f4..6b8718bf68 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -48,7 +48,7 @@ Windows Enterprise E3 and E5 are available as online services via subscription.
 - Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
 - Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
 
-Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure Active Directory (Azure AD) using [Azure AD Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
 
 > [!NOTE]
 > Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11.
@@ -59,7 +59,7 @@ Subscription activation for Education works the same as the Enterprise edition,
 
 ## Inherited activation
 
-Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses an Azure AD account on a VM.
+Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
 
 To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V.
 
@@ -80,7 +80,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 
 - **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
 
-- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Azure AD for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Azure AD, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Microsoft Entra ID for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Microsoft Entra ID, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
 
 - **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
 
@@ -96,7 +96,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 ### Windows Enterprise requirements
 
 > [!NOTE]
-> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
+> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
 
 > [!IMPORTANT]
 > As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
@@ -104,8 +104,8 @@ The following list illustrates how deploying Windows client has evolved with eac
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
 
 - A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
-- Azure AD available for identity management.
-- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- Microsoft Entra available for identity management.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 
 For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
 
@@ -114,7 +114,7 @@ For Microsoft customers that don't have EA or MPSA, you can get Windows Enterpri
 - A supported version of Windows Pro Education installed on the devices to be upgraded.
 - A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
 - The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
-- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
 
 > [!IMPORTANT]
 > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
@@ -130,7 +130,7 @@ To compare Windows 10 editions and review pricing, see the following sites:
 
 You can benefit by moving to Windows as an online service in the following ways:
 
-- Licenses for Windows Enterprise and Education are checked based on Azure AD credentials. You have a systematic way to assign licenses to end users and groups in your organization.
+- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. You have a systematic way to assign licenses to end users and groups in your organization.
 
 - User sign-in triggers a silent edition upgrade, with no reboot required.
 
@@ -145,13 +145,13 @@ You can benefit by moving to Windows as an online service in the following ways:
 > [!NOTE]
 > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
 
-The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
+The device is Microsoft Entra joined from **Settings** > **Accounts** > **Access work or school**.
 
 You assign Windows 10 Enterprise to a user:
 
 ![A screenshot of assigning a Windows 10 Enterprise license in the Microsoft 365 admin center.](images/ent.png)
 
-When a licensed user signs in to a device that meets requirements using their Azure AD credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
+When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
 
 > [!NOTE]
 > Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel.
@@ -176,7 +176,7 @@ All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a
 
 #### Scenario #2
 
-You're using Azure AD-joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Azure AD synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. You then assign that license to all of your Azure AD users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
+You're using Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Microsoft Entra synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Microsoft Entra ID. You then assign that license to all of your Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
 
 #### Earlier versions of Windows
 
@@ -196,7 +196,7 @@ The following policies apply to acquisition and renewal of licenses on devices:
 
 Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
 
-When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
+When you have the required Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
 
 ### Existing Enterprise deployments
 
@@ -213,13 +213,15 @@ If the computer has never been activated with a Pro key, use the following scrip
 $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
 ```
 
-### Obtaining an Azure AD license
+<a name='obtaining-an-azure-ad-license'></a>
+
+### Obtaining a Microsoft Entra ID license
 
 If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
 
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, you assign the licenses to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 
-- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps.
+- The license administrator can assign seats to Microsoft Entra users with the same process that's used for Microsoft 365 Apps.
 
 - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
 
@@ -239,11 +241,11 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
 
 Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
 
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 
 ## Related sites
 
-Connect domain-joined devices to Azure AD for Windows experiences. For more information, see [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
+Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
 
 [Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11)
 
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index ad017e7f92..e6232ddc8f 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -10,6 +10,8 @@
           href: overview/windows-autopatch-roles-responsibilities.md
         - name: Privacy
           href: overview/windows-autopatch-privacy.md
+        - name: Deployment guide
+          href: overview/windows-autopatch-deployment-guide.md
         - name: FAQ
           href: overview/windows-autopatch-faq.yml
     - name: Prepare
@@ -121,10 +123,10 @@
               href: references/windows-autopatch-windows-update-unsupported-policies.md
             - name: Microsoft 365 Apps for enterprise update policies
               href: references/windows-autopatch-microsoft-365-policies.md
+            - name: Conflicting configurations
+              href: references/windows-autopatch-conflicting-configurations.md
         - name: Changes made at tenant enrollment
           href: references/windows-autopatch-changes-to-tenant.md
-        - name: Driver and firmware updates public preview addendum
-          href: references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
     - name: What's new
       href:
       items: 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 5a5b518816..3e70bd954a 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -1,7 +1,7 @@
 ---
 title: Add and verify admin contacts
 description: This article explains how to add and verify admin contacts
-ms.date: 05/30/2022
+ms.date: 09/15/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index 7bb3547dba..f9ce34d2ae 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -26,12 +26,12 @@ The overall device registration process is as follows:
 :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
 
 1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch.
-2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
+2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Microsoft Entra groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
 3. Windows Autopatch then:
     1. Performs device readiness prior registration (prerequisite checks).
     2. Calculates the deployment ring distribution.
     3. Assigns devices to one of the deployment rings based on the previous calculation.
-    4. Assigns devices to other Azure AD groups required for management.
+    4. Assigns devices to other Microsoft Entra groups required for management.
     5. Marks devices as active for management so it can apply its update deployment policies.
 4. IT admin then monitors the device registration trends and the update deployment reports.
 
@@ -46,13 +46,13 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
 | Step | Description |
 | ----- | ----- |
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
-| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
-| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group or from Azure AD groups used with Autopatch groups in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
-| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
+| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
+| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.<ol><li>Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
+| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Microsoft Entra device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
 | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
-| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Azure AD groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Azure AD groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
-| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>**Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all **virtual devices** managed by Windows Autopatch.</li></ol> |
-| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
+| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
+| **Step 7: Assign devices to a Microsoft Entra group** | Windows Autopatch also assigns devices to the following Microsoft Entra groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>**Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all **virtual devices** managed by Windows Autopatch.</li></ol> |
+| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
 | **Step 9: Review device registration status** | IT admins review the device registration status in both the **Registered** and **Not registered** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Registered** tab.</li><li>If **not**, the device shows up in the **Not registered** tab.</li></ol> |
 | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
 
@@ -69,7 +69,7 @@ During the tenant enrollment process, Windows Autopatch creates two different
 - [Service-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#service-based-deployment-rings)
 - [Software update-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#software-based-deployment-rings)  
 
-The following four Azure AD assigned groups are used to organize devices for the service-based deployment ring set:
+The following four Microsoft Entra ID assigned groups are used to organize devices for the service-based deployment ring set:
 
 | Service-based deployment ring | Description |
 | ----- | ----- |
@@ -78,7 +78,7 @@ The following four Azure AD assigned groups are used to organize devices for the
 | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
 | Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization |
 
-The five Azure AD assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition):
+The five Microsoft Entra ID assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition):
 
 | Software updates-based deployment ring | Description |
 | ----- | ----- |
@@ -158,7 +158,7 @@ If you want to move devices to different deployment rings (either service or sof
 If you don't see the Ring assigned by column change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
 
 > [!WARNING]
-> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
+> Moving devices between deployment rings through directly changing Microsoft Entra group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
 
 ## Automated deployment ring remediation functions
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
index 5d7ae124f5..93aeb12df6 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -19,7 +19,7 @@ ms.collection:
 
 Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey.
 
-Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
+Autopatch groups is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
 
 ## Autopatch groups prerequisites
 
@@ -36,7 +36,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 	- Windows Autopatch – DSS Policy [First]
 	- Windows Autopatch – DSS Policy [Fast]
 	- Windows Autopatch – DSS Policy [Broad]
-- Ensure the following Azure AD assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Azure AD group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
+- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
     - Modern Workplace Devices-Windows Autopatch-Test
     - Modern Workplace Devices-Windows Autopatch-First
     - Modern Workplace Devices-Windows Autopatch-Fast
@@ -46,14 +46,14 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
     - Windows Autopatch – Ring2
     - Windows Autopatch – Ring3
     - Windows Autopatch – Last
-- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups.
-	- For more information, see [assign an owner or member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Azure AD groups.
+- Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups.
+	- For more information, see [assign an owner or member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Microsoft Entra groups.
 - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
     - Read device attributes to successfully register devices.
     - Manage all configurations related to the operation of the service.
-- Make sure that all device-based Azure AD groups you intend to use with Autopatch groups are created prior to using the feature.
-    - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**.
-- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
+- Make sure that all device-based Microsoft Entra groups you intend to use with Autopatch groups are created prior to using the feature.
+    - Review your existing Microsoft Entra group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Microsoft Entra groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Microsoft Entra groups**.
+- Ensure devices used with your existing Microsoft Entra groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
 
 > [!TIP]
 > [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies).
@@ -68,17 +68,17 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** from the left navigation menu.
 1. Under the **Windows Autopatch** section, select **Release management**.
-1. In the **Release management** blade, select **Autopatch groups (preview)**.
+1. In the **Release management** blade, select **Autopatch groups**.
 1. In the **Autopatch groups** blade, select **Create**.
 1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**.
     1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created.
 1. In **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Custom Autopatch group.
-1. Each new deployment ring added must have either an Azure AD device group assigned to it, or an Azure AD group that is dynamically distributed across your deployments rings using defined percentages.
-    1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Azure AD groups to be used for Dynamic group distribution.
+1. Each new deployment ring added must have either a Microsoft Entra device group assigned to it, or a Microsoft Entra group that is dynamically distributed across your deployments rings using defined percentages.
+    1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Microsoft Entra groups to be used for Dynamic group distribution.
     1. In the **Dynamic group distribution** column, select the desired deployment ring checkbox. Then, either:
-        1. Enter the percentage of devices that should be added from the Azure AD groups selected in step 9. The percentage calculation for devices must equal to 100%, or
+        1. Enter the percentage of devices that should be added from the Microsoft Entra groups selected in step 9. The percentage calculation for devices must equal to 100%, or
         1. Select **Apply default dynamic group distribution** to use the default values.
-1. In the **Assigned group** column, select **Add group to ring** to add an existing Azure AD group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution.
+1. In the **Assigned group** column, select **Add group to ring** to add an existing Microsoft Entra group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution.
 1. Select **Next: Windows Update settings**.
 1. Select the **horizontal ellipses (…)** > **Manage deployment cadence** to [customize your gradual rollout of Windows quality and feature updates](../operate/windows-autopatch-windows-update.md). Select **Save**.
 1. Select the **horizontal ellipses (…)** > **Manage notifications** to customize the end-user experience when receiving Windows updates. Select **Save**.
@@ -86,10 +86,10 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Once the review is done, select **Create** to save your custom Autopatch group.
 
 > [!CAUTION]
-> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
+> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
 
 > [!IMPORTANT]
-> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
 
 ## Edit the Default or a Custom Autopatch group
 
@@ -107,7 +107,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Once the review is done, select **Save** to finish editing the Autopatch group.
 
 > [!IMPORTANT]
-> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
 
 ## Rename a Custom Autopatch group
 
@@ -119,7 +119,7 @@ You **can’t** rename the Default Autopatch group. However, you can rename a Cu
 1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then click **Rename group**.
 
 > [!IMPORTANT]
-> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Azure AD groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string.
+> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Microsoft Entra groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string.
 
 ## Delete a Custom Autopatch group
 
@@ -135,12 +135,12 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu
 
 ## Manage device conflict scenarios when using Autopatch groups
 
-Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups.
+Overlap in device membership is a common scenario when working with device-based Microsoft Entra groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Microsoft Entra groups.
 
-Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
+Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
 
 > [!CAUTION]
-> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
+> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
 
 ### Device conflict in deployment rings within an Autopatch group
 
@@ -172,11 +172,11 @@ Device conflict across different deployment rings in different Autopatch groups
 
 #### Device conflict prior to device registration
 
-When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Azure AD groups, used in Autopatch groups’ deployment rings, are registered with the service.
+When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups’ deployment rings, are registered with the service.
 
 | Conflict scenario | Conflict resolution |
 | -----  | ----- |
-| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Azure AD groups that are used with the Custom Autopatch groups don’t have device membership overlaps.</p> |
+| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don’t have device membership overlaps.</p> |
 
 #### Device conflict post device registration
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
index a706404138..b482faa489 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@@ -21,7 +21,7 @@ As organizations move to a managed-service model where Microsoft manages update
 
 ## What are Windows Autopatch groups?
 
-Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
+Autopatch groups is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
 
 ## Key benefits
 
@@ -29,9 +29,9 @@ Autopatch groups help Microsoft Cloud-Managed services meet organizations where
 
 | Benefit | Description |
 | ----- | ----- |
-| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. |
+| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Microsoft Entra group targeting logic. |
 | Having a flexible number of deployments | Autopatch groups give you the flexibility of having the right number of deployment rings that work within your organization. You can set up to 15 deployment rings per Autopatch group. |
-| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Azure AD groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. |
+| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Microsoft Entra groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. |
 | Choosing the deployment cadence | You choose the right software update deployment cadence for your business. |
 
 ## High-level architecture diagram overview
@@ -43,8 +43,8 @@ Autopatch groups is a function app that is part of the device registration micro
 | Step | Description |
 | ----- | ----- |
 | Step 1: Create an Autopatch group | Create an Autopatch group. |
-| Step 2: Windows Autopatch uses Microsoft Graph to create Azure AD and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:<ul><li>Azure AD groups</li><li>Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.</li></ul> |
-| Step 3: Intune assigns software update policies | Once Azure AD groups are created in the Azure AD service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. |
+| Step 2: Windows Autopatch uses Microsoft Graph to create Microsoft Entra ID and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:<ul><li>Microsoft Entra groups</li><li>Software update policy assignments with other Microsoft services, such as Microsoft Entra ID, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.</li></ul> |
+| Step 3: Intune assigns software update policies | Once Microsoft Entra groups are created in the Microsoft Entra service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. |
 | Step 4: Windows Update for Business responsibilities | Windows Update for Business (WUfB) is the service responsible for:<ul><li>Delivering those update policies</li><li>Retrieving update deployment statuses back from devices</li><li>Sending back the status information to Microsoft Intune, and then to the Windows Autopatch service</li></ul> |
 
 ## Key concepts
@@ -70,7 +70,7 @@ The Default Autopatch group **can’t** be deleted or renamed. However, you can
 
 #### Default deployment ring composition
 
-By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Azure AD assigned groups, are used:
+By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Microsoft Entra ID assigned groups, are used:
 
 - Windows Autopatch – Test
 - Windows Autopatch – Ring1
@@ -84,7 +84,7 @@ By default, the following [software update-based deployment rings](#software-bas
 > For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions.
 
 > [!CAUTION]
-> These and other Azure AD assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
+> These and other Microsoft Entra ID assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
 
 The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses.
 
@@ -96,7 +96,7 @@ The Default Autopatch group provides a default update deployment cadence for its
 
 Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) for each of its deployment rings in the Default Autopatch group. See the following default policy values:
 
-| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
+| Policy name | Microsoft Entra group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes |
 | Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes |
@@ -108,7 +108,7 @@ Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/
 
 Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values:
 
-| Policy name | Azure AD group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
+| Policy name | Microsoft Entra group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024; 1:00AM |
 | Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024; 1:00AM |
@@ -129,12 +129,12 @@ By default, a Custom Autopatch group has the Test and Last deployment rings auto
 
 Deployment rings make it possible for an Autopatch group to have software update deployments sequentially delivered in a gradual rollout within the Autopatch group.
 
-Windows Autopatch aligns with Azure AD and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups:
+Windows Autopatch aligns with Microsoft Entra ID and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups:
 
 | Deployment ring distribution | Description |
 | ----- | ----- |
-| Dynamic | You can use one or more device-based Azure AD groups, either dynamic query-based or assigned to use in your deployment ring composition.<p>Azure AD groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.</p> |
-| Assigned | You can use one single device-based Azure AD group, either dynamic query-based, or assigned to use in your deployment ring composition. |
+| Dynamic | You can use one or more device-based Microsoft Entra groups, either dynamic query-based or assigned to use in your deployment ring composition.<p>Microsoft Entra groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.</p> |
+| Assigned | You can use one single device-based Microsoft Entra group, either dynamic query-based, or assigned to use in your deployment ring composition. |
 | Combination of Dynamic and Assigned | To provide a greater level of flexibility when working on deployment ring compositions, you can combine both device distribution types in Autopatch groups.<p>The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.</p> |
 
 #### About the Test and Last deployment rings
@@ -147,7 +147,7 @@ If you only keep Test and Last deployment rings in your Default Autopatch group,
 > Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch.
 
 > [!TIP]
-> Both the **Test** and **Last** deployment rings only support one single Azure AD group assignment at a time. If you need to assign more than one Azure AD group, you can nest the other Azure AD groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Azure AD group nesting is supported.
+> Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported.
 
 #### Service-based versus software update-based deployment rings
 
@@ -160,7 +160,7 @@ Autopatch groups creates two different layers. Each layer contains its own deplo
 
 The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service.
 
-The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed:
+The following are the Microsoft Entra ID assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed:
 
 - Modern Workplace Devices-Windows Autopatch-Test
 - Modern Workplace Devices-Windows Autopatch-First
@@ -168,13 +168,13 @@ The following are the Azure AD assigned groups that represent the service-based
 - Modern Workplace Devices-Windows Autopatch-Broad
 
 > [!CAUTION]
-> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.</p>
+> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
 
 ##### Software-based deployment rings
 
 The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group.
 
-The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
+The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
 
 - Windows Autopatch - Test
 - Windows Autopatch – Ring1
@@ -183,14 +183,14 @@ The following are the Azure AD assigned groups that represent the software updat
 - Windows Autopatch – Last
 
 > [!IMPORTANT]
-> Additional Azure AD assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
+> Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
 
 > [!CAUTION]
-> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.</p>
+> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
 
 ### About device registration
 
-Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Azure AD groups instead of the Windows Autopatch Device Registration group provided by the service.
+Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Microsoft Entra groups instead of the Windows Autopatch Device Registration group provided by the service.
 
 ## Common ways to use Autopatch groups
 
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a2734bb584..4cb39e3d34 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -31,44 +31,48 @@ Windows Autopatch can take over software update management control of devices th
 
 ### Windows Autopatch groups device registration
 
-When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.  
+When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.  
 
-If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group.
+If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
 
 For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method.
 
-#### Supported scenarios when nesting other Azure AD groups
+<a name='supported-scenarios-when-nesting-other-azure-ad-groups'></a>
 
-Windows Autopatch also supports the following Azure AD nested group scenarios:
+#### Supported scenarios when nesting other Microsoft Entra groups
 
-Azure AD groups synced up from:
+Windows Autopatch also supports the following Microsoft Entra nested group scenarios:
+
+Microsoft Entra groups synced up from:
 
 - On-premises Active Directory groups (Windows Server AD)
 - [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync)
 
 > [!WARNING]
-> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
+> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Microsoft Entra group. Use a different Microsoft Entra group when syncing Configuration Manager collections to Microsoft Entra groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Microsoft Entra group.
 
 > [!IMPORTANT]
-> The **Windows Autopatch Device Registration** Azure AD group only supports **one level** of Azure AD nested groups.
+> The **Windows Autopatch Device Registration** Microsoft Entra group only supports **one level** of Microsoft Entra nested groups.
 
-### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
+<a name='clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant'></a>
 
-An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+### Clean up dual state of Microsoft Entra hybrid joined and Azure registered devices in your Microsoft Entra tenant
 
-In the dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
+An [Microsoft Entra dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Microsoft Entra ID as an [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Microsoft Entra hybrid join, the same device is connected twice to Microsoft Entra ID but as a [Hybrid Microsoft Entra device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
 
-It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices).
+In the dual state, you end up having two Microsoft Entra device records with different join types for the same device. In this case, the Hybrid Microsoft Entra device record takes precedence over the Microsoft Entra registered device record for any type of authentication in Microsoft Entra ID, which makes the Microsoft Entra registered device record stale.
+
+It's recommended to detect and clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, see [How To: Manage state devices in Microsoft Entra ID](/azure/active-directory/devices/manage-stale-devices).
 
 > [!WARNING]
-> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check  in the **Not ready** tab because it's expected that these stale Azure AD devices aren't enrolled into the Intune service anymore.
+> If you don't clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check  in the **Not ready** tab because it's expected that these stale Microsoft Entra devices aren't enrolled into the Intune service anymore.
 
 ## Prerequisites for device registration
 
 To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
 
 - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture).
-- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
+- Either [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Microsoft Entra joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
 - Managed by Microsoft Intune.
     - [Already enrolled into Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) and/or [Configuration Manager co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
         - Must switch the following Microsoft Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Intune (either set to Pilot Intune or Intune):
@@ -114,20 +118,20 @@ The following are the possible device readiness statuses in Windows Autopatch:
 
 A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
 
-- Azure AD Global Administrator
+- Microsoft Entra Global Administrator
 - Intune Service Administrator
 
-For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+For more information, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
 
-If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process:
+If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Microsoft Entra groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process:
 
-| Azure AD Group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
+| Microsoft Entra group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
 | ----- | ----- | ----- | ----- | ----- | ----- |
 | Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes |
 | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No |
 
 > [!TIP]
-> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.<p>For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).</p>
+> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Microsoft Entra group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Microsoft Entra group. Owners of the **Windows Autopatch Device Registration** Microsoft Entra group can add new devices as members of the group for registration purposes.<p>For more information, see [assign an owner of member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).</p>
 
 ## Details about the device registration process
 
@@ -206,7 +210,7 @@ There's a few more device management lifecycle scenarios to consider when planni
 
 If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device.
 
-The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same.
+The device will be rejoined to Microsoft Entra ID (either Hybrid or Microsoft Entra-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Microsoft Entra device ID record of that device remains the same.
 
 ### Device repair and hardware replacement
 
@@ -216,7 +220,7 @@ If you need to repair a device that was previously registered into the Windows A
 - MAC address (non-removable NICs)
 - OS hard drive's serial, model, manufacturer information
 
-When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
+When one of these hardware changes occurs, Microsoft Entra ID creates a new device ID record for that device, even if it's technically the same device.
 
 > [!IMPORTANT]
-> If a new Azure AD device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** Azure AD group. This process guarantees that the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.
+> If a new Microsoft Entra device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Microsoft Entra device ID must be added either through device direct membership or through nested Microsoft Entra dynamic/assigned group into the **Windows Autopatch Device Registration** Microsoft Entra group. This process guarantees that the newly generated Microsoft Entra device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png
new file mode 100644
index 0000000000..1e898235fa
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-deployment-journey.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png
index f77684b8c4..2098b9cd0c 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png
index abd0c884b1..d59d22d90c 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png
index 1be4b61b37..2c476a2e64 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png
index c6abcd6790..75dc395038 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png
index d340ccdecd..9e01c36d3b 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
index 0f80250e80..563e6370c5 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -54,7 +54,7 @@ Alert resolutions are provided through the Windows Update service and provide th
 | `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.<p>It's recommended to work with the end user to allow updates to execute as scheduled.</p> |
 | `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt. <p>It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).</p> |
 | `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.<p>For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
-| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Azure AD Device ID. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
+| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.<p>Check that the MSA Service is running or able to run on device.</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index 03e04c49d8..5aadb310ef 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Edge
 description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
-ms.date: 05/30/2022
+ms.date: 09/15/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
index e3b0793469..843b7e8d3c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
@@ -16,12 +16,12 @@ ms.collection:
 
 # Exclude a device
 
-To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
+To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Microsoft Entra device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
 
-When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups.
+When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Microsoft Entra group, used with Autopatch groups.
 
 > [!IMPORTANT]
-> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
+> The Microsoft Entra team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
 
 **To exclude a device:**
 
@@ -32,7 +32,7 @@ When you exclude a device from the Windows Autopatch service, the device is flag
 1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**.
 
 > [!WARNING]
-> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
+> Excluding devices from the Windows Autopatch Device Registration group, or any other Microsoft Entra group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
 
 ## Only view excluded devices
 
@@ -53,4 +53,4 @@ You can view the excluded devices in the **Not registered** tab to make it easie
 1. Select **Windows Autopatch** in the left navigation menu.
 1. Select **Devices**.
 1. In the **Not registered** tab, select the device(s) you want to restore.
-1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**.
+1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore excluded device**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
index 12e39f7f30..66164cc373 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
@@ -34,7 +34,7 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
 
 Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey.  
 
-Autopatch groups is a logical container that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together.
+Autopatch groups is a logical container that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together.
 
 For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md).
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
index f2522d91fa..8ffc66a28a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@@ -64,7 +64,7 @@ Windows Autopatch’s default Windows feature update release is a service-driven
 > [!TIP]
 > Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release).
 
-When devices are registered by manually adding them to the Windows Autopatch Device Registration Azure AD assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
+When devices are registered by manually adding them to the Windows Autopatch Device Registration Microsoft Entra ID assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
 
 The policies:
 
@@ -98,7 +98,7 @@ There are two scenarios that the Global release is used:
 
 | Scenario | Description |
 | ----- | ----- |
-| Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).<p>A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.</p> |
+| Scenario #1 | You assign Microsoft Entra groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).<p>A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.</p> |
 | Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).<p>The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.</p> |
 
 > [!NOTE]
@@ -142,7 +142,7 @@ Feature update policies work with Windows Update rings policies. Windows Update
 
 The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases:
 
-| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
+| Policy name | Microsoft Entra group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes |
 | Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
index da80289277..8fe50bb86f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@@ -48,7 +48,7 @@ The following information is available as optional columns in the Feature update
 
 | Column name | Description |
 | ----- | ----- |
-| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device |
+| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device |
 | Serial number | The current Intune recorded serial number for the device |
 | Intune last check in time | The last time the device checked in to Intune |
 | Service State | The Service State provided from Windows Update |
@@ -73,7 +73,7 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Search | Use to search by device name, Azure AD device ID or serial number |
+| Search | Use to search by device name, Microsoft Entra device ID or serial number |
 | Sort | Select the **column headings** to sort the report data in ascending and descending order. |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Add filters** or at the top of the report to filter the results. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
index 37d261d766..6f8527fdc9 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature update summary dashboard
 description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 07/25/2023
+ms.date: 10/11/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -17,19 +17,19 @@ ms.collection:
 
 # Windows feature update summary dashboard
 
-The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
+The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
 
-The first part of the summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
+The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
 
-**To view a generated summary dashboard for your Windows feature update deployments:**
+**To view a generated Summary dashboard for your Windows feature update deployments:**
 
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Reports** from the left navigation menu.
-1. Under the **Windows Autopatch** section, select **Windows feature updates (preview)**.
+1. Under the **Windows Autopatch** section, select **Windows feature updates**.
 
 ## Report information
 
-The following information is available in the summary dashboard:
+The following information is available in the Summary dashboard:
 
 | Column name | Description |
 | ----- | ----- |
@@ -48,5 +48,5 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
+| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process ensures that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
 | Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 57b9aa5aad..34a3b93fab 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates overview with Autopatch groups experience
 description: This article explains how Windows quality updates are managed with Autopatch groups
-ms.date: 07/25/2023
+ms.date: 08/23/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -24,17 +24,17 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
 | Policy | Description |
 | ----- | ----- |
 | [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. |
-| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays)    | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
+| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays)    | Before the deadline, users can schedule restarts or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
 | [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
 
-For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
+For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
 
 > [!IMPORTANT]
 > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed.  These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
 
 ## Service level objective
 
-Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Note that devices that have cadence type set to Schedule install won't be eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence).
+Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Devices that have cadence type set to Schedule install aren't eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence).
 
 > [!IMPORTANT]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
@@ -54,7 +54,7 @@ In the Release management blade, you can:
 
 For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
 
-- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
+- The status of the update. Releases appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
 - The date the update is available.
 - The target completion date of the update.
 - In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release.
@@ -63,7 +63,7 @@ For each [deployment ring](windows-autopatch-update-management.md#windows-autopa
 
 Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
 
-When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
+When expediting a release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
 
 | Release type | Group | Deferral | Deadline | Grace period |
 | ----- | ----- | ----- | ----- | ----- |
@@ -87,7 +87,7 @@ By default, the service expedites quality updates as needed. For those organizat
 
 Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
 
-For the deployment rings that have passed quality updates deferral date, the OOB release schedule will be expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs will be released as per the set deferral dates.
+For the deployment rings that have passed quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs is released as per the set deferral dates.
 
 **To view deployed Out of Band quality updates:**
 
@@ -114,19 +114,19 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** from the left navigation menu.
 1. Under the **Windows Autopatch** section, select **Release management**.
-1. In the **Release management** blade, got to the **Release schedule** tab and select **Windows quality updates**.
-1. Select the Autopatch group that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu.
-1. Select a reason from the dropdown menu.
-1. Optional. Enter details about why you're pausing or resuming the selected update.
-1. If you're resuming an update, you can select one or more deployment rings.
-1. Select **Okay**.
+1. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**.
+1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu.
+1. Optional. Enter the justification(s) about why you're pausing or resuming the selected update.
+1. Optional. Select **This pause is related to Windows Update**. When you select this checkbox, you must provide information about how the pause is related to Windows Update.
+1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings.
+1. Select **Pause or Resume deployment**.
 
 The three following statuses are associated with paused quality updates:
 
 | Status | Description |
 | ----- | ------ |
-| Paused by Service | If the Windows Autopatch service has paused an update, the release will have the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. |
-| Paused by Tenant | If you've paused an update, the release will have the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. |
+| Paused by Service | If the Windows Autopatch service has paused an update, the release has the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. |
+| Paused by Tenant | If you've paused an update, the release has the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. |
 
 ## Remediating Not ready and/or Not up to Date devices
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
index 703ee03554..af916925f0 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@@ -51,7 +51,7 @@ The following information is available as optional columns in the Quality update
 
 | Column name | Description |
 | ----- | ----- |
-| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device |
+| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device |
 | Serial number | The current Intune recorded serial number for the device |
 | Intune last check in time | The last time the device checked in to Intune |
 | Service State | The Service State provided from Windows Update |
@@ -75,7 +75,7 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Search | Use to search by device name, Azure AD device ID or serial number |
+| Search | Use to search by device name, Microsoft Entra device ID or serial number |
 | Sort | Select the **column headings** to sort the report data in ascending and descending order. |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Add filters** or at the top of the report to filter the results. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
index 154e93fb08..e744f0c407 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality update summary dashboard
 description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
-ms.date: 07/25/2023
+ms.date: 10/04/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -17,7 +17,7 @@ ms.collection:
 
 # Windows quality update summary dashboard
 
-The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
 
 **To view the current update status for all your enrolled devices:**
 
@@ -29,7 +29,7 @@ The summary dashboard provides a summary view of the current update status for a
 
 ## Report information
 
-The following information is available in the summary dashboard:
+The following information is available in the Summary dashboard:
 
 | Column name | Description |
 | ----- | ----- |
@@ -47,5 +47,5 @@ The following options are available:
 
 | Option | Description |
 | ----- | ----- |
-| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
+| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process ensures that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
 | Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index cab93e35da..3b72dc6d90 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -23,13 +23,13 @@ After you've completed enrollment in Windows Autopatch, some management settings
 1. If any of the items apply to your environment, make the adjustments as described.
 
 > [!NOTE]
-> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
+> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
 
 ## Microsoft Intune settings
 
 | Setting | Description |
 | ----- | ----- |
-| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li> <li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
+| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Microsoft Entra group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Microsoft Entra group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group.</li> <li>If you have assigned Microsoft Entra user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Microsoft Entra group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
 
 ## Windows Autopatch configurations
 
@@ -56,7 +56,7 @@ The type of banner that appears depends on the severity of the action. Currently
 
 | Action type | Severity | Description |
 | ----- | ----- | ----- |
-| Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Azure Active Directory Premium</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
+| Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Microsoft Entra ID P1 or P2</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
 | Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can’t manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
 
 ### Inactive status
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
index e0298e93f1..041df4c91f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
@@ -1,7 +1,7 @@
 ---
 title: Manage driver and firmware updates
 description: This article explains how you can manage driver and firmware updates with Windows Autopatch
-ms.date: 07/04/2023 
+ms.date: 08/22/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -15,10 +15,7 @@ ms.collection:
   - tier1
 ---
 
-# Manage driver and firmware updates (public preview)
-
-> [!IMPORTANT]
-> This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback.
+# Manage driver and firmware updates
 
 You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment.
 
@@ -32,7 +29,7 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
 | Modes | Description |
 | ----- | -----|
 | Automatic | We recommend using **Automatic** mode.<p>Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.</p> |
-| Self-managed | When you use the the **Self-managed** mode for drivers and firmware, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
+| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
 
 ## Set driver and firmware updates to Automatic or Self-managed mode
 
@@ -49,16 +46,16 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
 
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Devices** > **Driver updates for Windows 10 and later**.
-1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**.
+1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**.
 
 The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table:
 
 | Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays |
 | ----- | ----- | ----- | ----- | ----- |
-| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [Test/First/Fast/Broad] | Driver Update Policy for device Test/First/Fast/Broad group | Automatic | `0` |
-
-> [!NOTE]
-> In public preview, the DeploymentDeferralInDays setting is set to `0` for all deployment rings.
+| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` |
+| `CreateDriverUpdatePolicy`| Windows Autopatch – Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` |
+| `CreateDriverUpdatePolicy` |Windows Autopatch – Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` |
+| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` |
 
 ## Feedback and support
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
index 5c0649bc8e..21a44e576c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Teams
 description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
-ms.date: 05/30/2022
+ms.date: 09/15/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index ecc8f356a9..2c89d2a8ce 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
 Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:  
 
 - Remove Windows Autopatch access to your tenant.
-- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
+- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Microsoft Entra ID or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
 - Delete all data that we've stored in the Windows Autopatch data storage.
 
 > [!NOTE]
@@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
 | Responsibility | Description |
 | ----- | ----- |
 | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
-| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
+| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Microsoft Entra device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
 
 ## Your responsibilities after unenrolling your tenant
 
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
new file mode 100644
index 0000000000..7fc5bce674
--- /dev/null
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
@@ -0,0 +1,337 @@
+---
+title: Windows Autopatch deployment guide
+description: This guide explains how to successfully deploy Windows Autopatch in your environment
+ms.date: 08/24/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: hathind
+ms.collection:
+  - tier2
+---
+
+# Windows Autopatch deployment guide
+
+As organizations move to support hybrid and remote workforces, and continue to adopt cloud-based endpoint management with services such as Intune, managing updates is critical.
+
+Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
+
+A successful Windows Autopatch deployment starts with planning and determining your objectives. Use this deployment guide to plan your move or migration to Windows Autopatch.
+
+This guide:
+
+- Helps you plan your deployment and adopt Windows Autopatch
+- Lists and describes some common objectives
+- Provides a recommended deployment plan
+- Provides migration considerations for Windows Update for Business (WUfB) and Microsoft Configuration Manager
+- Lists some common general considerations when deploying Windows Autopatch
+- Provides suggested business case benefits and communication guidance
+- Gives additional guidance and how to join the Autopatch community
+
+## Determine your objectives
+
+This section details some common objectives when using Windows Autopatch.  
+
+Once an organization is onboarded, Windows Autopatch automatically creates multiple progressive deployment rings and applies the latest updates according to Windows Autopatch recommended practices and your organization's custom configuration. While there are options to adjust configurations such as quality update cadence, the service provides you with a baseline to begin establishing your update objectives.
+
+Use Windows Autopatch to solve the following challenges:
+
+- Difficulty developing and defending update cadence and general best practices
+- Increase visibility and improve issue reporting
+- Achieving a consistent update success rate
+- Standardize and optimize the configuration for devices, policies, tools and versions across their environment
+- Transition to modern update management by configuring Intune and Windows Update for Business
+- Make update processes more efficient and less reliant on IT admin resources  
+- Address vulnerabilities and Windows quality updates as soon as possible to improve security
+- Assist with compliance to align with industry standards
+- Invest more time on value-add IT projects rather than monthly updates
+- Planning and managing Windows feature updates
+- Transition to Windows 11
+
+## Recommended deployment steps
+
+The following deployment steps can be used as a guide to help you to create your organization's specific deployment plan to adopt and deploy Windows Autopatch.
+
+:::image type="content" source="../media/windows-autopatch-deployment-journey.png" alt-text="Windows Autopatch deployment journey" lightbox="../media/windows-autopatch-deployment-journey.png":::
+
+### Step one: Prepare
+
+[Review the prerequisites](../prepare/windows-autopatch-prerequisites.md) and [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) into the Windows Autopatch service. At this stage, your devices aren't affected.  You can enroll your tenant and review the service options before registering your devices.
+
+| Step | Description |
+| ----- | ----- |
+| **1A: Set up the service** | <ul><li>Prepare your environment, review existing update policies and [General Considerations](#general-considerations)</li><li>Review and understand [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service</li><li>Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</li><li>Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) completed successfully</li></ul> |
+| **1B: Confirm update service needs and configure your workloads** | <ul><li>[Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md): Expedite preferences and cadence customizations</li><li>[Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md): Servicing version preferences</li><li>[Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md): Set to either Manual or Automatic</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md): Set to either Monthly Enterprise Channel or opt-out</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md): Required. Beta and Stable Channel</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md): Required. Automatic</li></ul> |
+| **1C: Consider your Autopatch groups distribution** | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) with additional deployment rings and/or [create your own Custom Autopatch group(s)](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).<br><br><ul><li> Review your device inventory and consider a representative mix of devices across your distribution</li><li>Review your Microsoft Entra groups that you wish to use to register devices into the service</li><li>Review [device registration options](../deploy/windows-autopatch-device-registration-overview.md) and [register your first devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
+| **1D: Review network optimization** | It's important to [prepare your network](../prepare/windows-autopatch-configure-network.md) to ensure that your devices have access to updates in the most efficient way, without impacting your infrastructure.<br><br>A recommended approach to manage bandwidth consumption is to utilize [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages amongst multiple devices in your deployment. |
+
+### Step two: Evaluate
+
+Evaluate Windows Autopatch with around 50 devices to ensure the service meets your needs. You can adjust this number based on your organizational make-up. It's recommended to monitor one update cycle during this evaluation step.
+
+| Step | Description |
+| ----- | ----- |
+| **2A: Review reporting capabilities** | <ul><li>[Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)</li><li>[Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)</li><li>[Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)</li></ul>Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.<br><br>There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.<br><br>For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.|
+| **2B: Review operational changes** | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.<br><ul><li>Identify service desk and end user computing process changes</li><li>Identify any alignment with third party support agreements</li><li>Review the default Windows Autopatch support process and alignment with your existing Premier and Unified support options</li><li>Identify IT admin process change & service interaction points</li></ul> |
+| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.<ul><li>[Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)</li><li>[Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li>[Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)<li>[Microsoft Edge](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md)</li></ul><br>Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:<br><ul><li>Gain knowledge and experience in identifying and resolving update issues more effectively</li><li>Prepare them to support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes</li></ul><br>Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). |
+| **2D: Pilot planning** | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. |
+
+### Step three: Pilot
+
+Plan to pilot the service with around 500 devices to provide sufficient pilot coverage to be ready for deployment. You can adjust this number based on your organizational make-up. It's recommended to monitor one to two update cycles during the pilot step.
+
+| Step | Description |
+| ----- | ----- |
+| **3A: Register devices** | Register pilot device group(s) |
+| **3B: Monitor update process success** |<ul><li>Quality update: One to two update cycles</li><li>Feature update: Set of pilot devices scheduled across several weeks</li><li>Drivers and firmware: One to two update cycles</li><li>Microsoft 365 Apps for enterprise (if not opted-out): One to two update cycles</li><li>Microsoft Edge: One to two update cycles</li><li>Microsoft Teams: One to two update cycles</li> |
+| **3C: Review reports** |<ul><li>[Quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports): Monitor data in the reports across one to two update cycles</li><li>[Feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports): Monitor data in the reports across the update schedule</li><li>[Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report): Monitor data in the report across one to two update cycles</li></ul> |
+| **3D: Implement operational changes** |<ul><li>Pilot Service Desk, end user computing and third party (if applicable) process changes with pilot representatives</li><li>IT admins must:<ul><li>Review deployment progress using Windows Autopatch reports</li><li>Respond to identified actions to help improve success rates</li></ul></ul> |
+| **3E: Communicate with stakeholders** | Review and action your stakeholder communication plan. |
+| **3F: Deployment planning** | Prepare target deployment groups for phased deployment of Windows Autopatch. |
+
+### Step four: Deploy
+
+Following a successful pilot, you can commence deployment to your broader organization.  The pace at which you deploy is dependent on your own requirements; for example, deploying in groups of 500 to 5000 per week are commonly used approaches to complete the deployment of Windows Autopatch.
+
+| Step | Description |
+| ----- | ----- |
+| **4A: Review reports** |<ul><li>Review deployment progress using Windows Autopatch reports</li><li>Respond to identified actions to help improve success rates</li></ul> |
+| **4B: Communicate with stakeholders** | Review and action your stakeholder communication plan |
+| **4C: Complete operational changes** |<ul><li>Service Desk readiness is complete and in place</li><li>IT admins take the required action(s) based on the Autopatch reports</li></ul> |
+
+## Migration considerations
+
+If you're an existing Windows Update for Business (WUfB) or Configuration Manager customer, there are several considerations that could accelerate your deployment along a shorter path.
+
+### Why migrate from Windows Update for Business or Configuration Manager to Windows Autopatch?
+
+Customers who are using Windows Update for Business (WUfB) or Configuration Manager can quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides.
+
+When moving from Windows Update for Business (WUfB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with.  
+
+Once migrated, there are several configuration tasks that you no longer need to carry out:
+
+| Autopatch benefit | Configuration Manager | Windows Update for Business (WUfB) |
+| ----- | ----- | ----- |
+| Automated setup and on-going configuration of Windows Update policies | Manage and perform recurring tasks such as:<ul><li>Download updates</li><li>Distribute to distribution points</li><li>Target update collections</li></ul> | Manage "static" deployment ring policies |
+| Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership |
+| Maintain minimum Windows feature version and progressively move between servicing versions | Spend time developing, testing and rolling-out task sequence | Set up and deploy Windows feature update policies |
+| Service provides release management, signal monitoring, testing, and Windows Update deployment | Setup, target and monitor update test collections | Manage Test deployment rings and manually monitor update signals |
+| Simple, integrated process to turn on the service as part of the Windows 365 provisioning policy | Manually target Cloud PCs in device collections | Manually target Cloud PCs in Microsoft Entra groups |
+
+In addition to the reports, other benefits include:
+
+| Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) |
+| ----- | ----- |
+| Windows quality and feature update reports with integrated alerts, deep filtering, and status-at-a-glance | Requires you to manually navigate and hunt for status and alerts |
+| Filter by action needed with integrated resolution documentation | Requires you to research and discover possible actions relating to update issues |
+| Better visibility for IT admins, Security compliance and proof for regulator | Requires you to pull together different reports and views across multiple admin portals |
+
+Service management benefits include:
+
+| Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) |
+| ----- | ----- |
+| Windows automation and Microsoft Insights | First or third-party resources required to support and manage updates internally |
+| Microsoft research and insights determine the 'go/no-go' for your update deployment | Limited signals and insights from your organization to determine the 'go/no-go' for your update deployment |
+| Windows Autopatch might pause or roll back an update. The pause or rollback is dependent on the scope of impact and to prevent end user disruption | Manual intervention required, widening the potential impact of any update issues |
+| By default, Windows Autopatch [expedites quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases) as needed. | Manual intervention required, widening the potential impact of any update issues |
+
+### Migrating from Windows Update for Business (WUfB) to Windows Autopatch
+
+#### Assessing your readiness to migrate from Windows Update for Business (WUfB) to Windows Autopatch
+
+When moving from Windows Update for Business (WUfB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing your readiness to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment:
+
+| Step | Assessment step | Recommendation |
+| ----- | ----- | ----- |
+| **1** | "User based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting.  If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the [Consider your Autopatch groups guidance](#step-one-prepare) |
+| **2** | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, your teams should understand that your Windows Autopatch devices use these channels. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare). |
+| **3** | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is using a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out Microsoft 365 Apps for enterprise updates. For more information, see [Confirm update service needs and configure your workloads](#step-one-prepare) |
+| **4** | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) |
+| **5** | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment.  However, if you're already using Windows Update for Business (WUfB) it's likely you already have your network optimization solution in place.  For more information, see [Review network optimization](#step-one-prepare) |
+
+### Optimized deployment path: Windows Update for Business (WUfB) to Windows Autopatch
+
+Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path:
+
+| Step | Example timeline | Task |
+| ----- | ----- | ----- |
+| **[Step one: Prepare > Set up the service](#step-one-prepare)** | Week one | Follow our standard guidance to turn on the Windows Autopatch service<ul><li>Prepare your environment, review existing update policies and [General Considerations](#general-considerations)</li><li>Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service</li><li>Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</li><li>Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully</li></ul> |
+| **[Step one: Prepare > Adjust the service configuration based on your migration readiness](#step-one-prepare)** | Week one | <ul><li>[Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)</li><li>[Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)</li><li>[Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md)</li><li>Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> |
+| **[Step two: Evaluate](#step-two-evaluate)** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place |
+| **[Step three: Pilot](#step-three-pilot)** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams |
+| **[Step four: Deploy](#step-four-deploy)** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable |
+
+### Migrating from Configuration Manager to Windows Autopatch
+
+Regardless of if you're migrating from Configuration Manager to Microsoft Intune or if you're remaining with Configuration Manager, if you're currently using Configuration Manager to manage updates, you can migrate the update workloads to Windows Autopatch and take advantage of the key benefits for your Configuration Manager environment.
+
+#### Assessing your readiness to migrate from Configuration Manager to Windows Autopatch
+
+When you migrate from Configuration Manager to Windows Autopatch, the fastest path to quickly gain value from Windows Autopatch is to already have co-management and the requisite workloads moved to Intune.
+
+| Step | Assessment step | Recommendation |
+| ----- | ----- | ----- |
+| **1** | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch.<br><br>If you don't have co-management, see [How to use co-management in Configuration Manager](/mem/configmgr/comanage/how-to-enable) |
+| **2** | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:<ul><li>Windows Update policies workload</li><li>Device configuration workload</li><li>Office Click-to-Run apps workload</li></ul><br>If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) |
+| **3** | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review [General considerations](#general-considerations) |
+| **4** | Ensure Configuration Manager collections or Microsoft Entra device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Microsoft Entra device groups, or Configuration Manager collections. Ensure you have either Microsoft Entra device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see [Register your devices](../deploy/windows-autopatch-register-devices.md#before-you-begin). |  
+
+### Optimized deployment path: Configuration Manager to Windows Autopatch
+
+Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service.   The following steps illustrate a recommended optimized deployment path:
+
+| Step | Example timeline | Task |
+| ----- | ----- | ----- |
+| **[Step one: Prepare > Set up the service](#step-one-prepare)** | Week one | Follow our standard guidance to turn on the Windows Autopatch service<ul><li>Prepare your environment, review existing update policies and [General Considerations](#general-considerations).</li><li>Review and understand the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) when enrolling into the service</li><li>Enroll into the service and [add your admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>Review [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</li><li>Verify the [changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) have completed successfully.</li></ul> |
+| **[Step one: Prepare > Adjust the service configuration based on your migration readiness](#step-one-prepare)** | Week one | <ul><li>[Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)</li><li>[Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)</li><li>[Driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md)</li><li>Use the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [create a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> |
+| **[Step two: Evaluate](#step-two-evaluate)** | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place |
+| **[Step three: Pilot](#step-three-pilot)** | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams |
+| **[Step four: Deploy](#step-four-deploy)** | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable |
+
+## General considerations
+
+As part of your planning process, you should consider any existing enterprise configurations in your environment that could affect your deployment of Windows Autopatch.  
+
+Many organizations have existing policies and device management infrastructure, for example:
+
+- Group Policy Objects (GPO)
+- Registry settings
+- Configuration Manager
+- Existing Mobile Device Management (MDM) policies
+- Servicing profiles for Microsoft 365 Apps
+
+It's a useful exercise to create a baseline of your policies and existing settings to map out the configuration that could impact your move to Windows Autopatch.
+
+### Group policy
+
+Review existing policies and their structure. Some policies might apply globally, some apply at the site level, and some are specific to a device. The goal is to know and understand the intent of global policies, the intent of local policies, and so on.
+
+On-premises AD group policies are applied in the LSDOU order (Local, Site, Domain, and Organizational Unit (OU)). In this hierarchy, OU policies overwrite domain policies, domain policies overwrite site policies, and so on.
+
+| Area | Path | Recommendation |
+| -----  | ----- | ----- |
+| Windows Update Group Policy settings | `Computer Configuration\Administrative Templates\Windows Components\Windows Updates` | The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. |
+| Don't connect to any Windows Update Internet locations | `Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations` | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WUfB)<br><br>When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update, and might cause the connection to Windows Update for Business (WUfB), and Delivery Optimization to stop working. |
+| Scan Source policy | `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service` | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WUfB) service with the Windows Update Scan Source policy.<br><br>You should review any scan source policy settings targeting devices to ensure:<ul><li>That no conflicts exist that could affect update deployment through Windows Autopatch</li><li>Such policies aren't targeting devices enrolled into Windows Autopatch</li></ul> |
+
+### Registry settings
+
+Any policies, scripts or settings that create or edit values in the following registry keys might interfere with Windows and Office Update settings delivered through Autopatch. It's important to understand how these settings interact with each other and with the Windows and Office Update service as part of your Autopatch planning.
+
+| Key | Description |
+| ----- | ----- |
+| `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`<br>(Intune MDM only cloud managed)<br><br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`<br>(If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. |
+| `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU`<br>(If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. |
+| `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update`<br>(GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. |
+| `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration`<br>(GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device).<br><br>Look at the `UpdateChannel` value. The value tells you how frequently Office is updated.<br><br>For more information, see [Manage Microsoft 365 Apps with Configuration Manager](/mem/configmgr/sum/deploy-use/manage-office-365-proplus-updates#bkmk_channel) to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. |
+
+> [!NOTE]
+> For more information about Windows Update Settings for Group Policy and Mobile Device Management (MDM), see [Manage additional Windows Update settings](/windows/deployment/update/waas-wu-settings).
+
+### Configuration Manager
+
+#### Windows and Microsoft 365 Apps for enterprise updates
+
+When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies.
+
+Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager.
+
+To ensure that Software Update Policies don't conflict with Windows Update for Business (WUfB) and Office Update policies, create a Software Update Policy in Configuration Manager that has:
+
+- Windows and Office Update configuration disabled
+- Includes devices enrolled into Autopatch to remove any existing configuration(s).
+
+If this policy remains live, confirm that Autopatch devices aren't included in the live Software Update Policy in Configuration Manager.
+
+All devices that are enrolled in Autopatch use Windows and Office Update policies from the service, and any configurations that are applied through Configuration Manager Software Update Policies can be removed.
+
+For example, Configuration Manager Software Update Policy settings exclude Autopatch enrolled devices from receiving conflicting configuration for Windows and Office Updates:
+
+| Device setting | Recommended configuration |
+| ----- | ----- |
+| Enable software updates | No |
+| Enable management of the Office 365 Client Agent | No |
+
+> [!NOTE]
+> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren’t in use.
+
+#### Existing Mobile Device Management (MDM) policies
+
+| Policy | Description |
+| ----- | ----- |
+| **MDM to win over GP** | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP.<br><br>When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies.<br><br>This setting doesn't apply to all scenarios. This setting doesn't work for:<ul><li>User scoped settings. This setting applies to device scoped settings only</li><li>Any custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settings</li><li>Any Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect</li></ul><br><br>For more information and guidance on the expected behavior applied through this policy, see [ControlPolicyConflict Policy CSP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) |
+| **Windows Update for Business (WUfB) policies** | If you have any existing *Deployment rings for Windows 10 and later or Windows feature update DSS policies* in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. |
+| **Update Policy CSP** | If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. |
+
+#### Servicing profiles for Microsoft 365 Apps for enterprise
+
+You can use automation to deliver monthly updates to Microsoft 365 Apps for enterprise directly from the Office Content Delivery Network (CDN) using [Servicing profiles](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#compatibility-with-servicing-profiles). A servicing profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#device-eligibility) regardless of existing management tools in your environment.  
+
+You can consider retargeting servicing profiles to non-Windows Autopatch devices or if you plan to continue using them, you can [block Windows Autopatch delivered Microsoft 365 App updates](/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise#allow-or-block-microsoft-365-app-updates) for Windows Autopatch-enrolled devices.
+
+## Business case
+
+Part of your planning might require articulating the business benefits of moving to Windows Autopatch from your existing update solution(s). Windows Autopatch provides several resources to help when building your business case.
+
+- [How Windows Autopatch works for you](https://www.microsoft.com/microsoft-365/windows/autopatch)
+- [What is Windows Autopatch?](https://techcommunity.microsoft.com/t5/windows-autopatch/windows-autopatch-resource-guide/m-p/3502461#_note3)
+- [Forrester - The Projected Total Economic Impact™ Of Windows Autopatch: Cost Savings And Business Benefits Enabled By Windows Autopatch](https://techcommunity.microsoft.com/t5/windows-autopatch/windows-autopatch-resource-guide/m-p/3502461#_note6)
+- [Windows Autopatch Skilling snack](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/skilling-snack-windows-autopatch/ba-p/3787448)
+
+## Stakeholder communications
+
+Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate.  
+
+- Identify groups impacted by the Autopatch deployment
+- Identify key stakeholders in the impacted groups
+- Determine the types of communications needed
+- Develop your messaging based on the [Recommended deployment steps](#recommended-deployment-steps)
+- Create your stakeholder and communication plan schedule based on the [Recommended deployment steps](#recommended-deployment-steps)
+- Have communications drafted and reviewed, and consider your delivery channels such as:  
+    - Social media posts
+    - Internal messaging app (for example, Microsoft Teams)
+    - Internal team site
+    - Email
+    - Company blog
+    - Prerecorded on-demand videos
+    - Virtual meeting(s)
+    - In-person meetings
+    - Team workshops
+- Deploy your stakeholder communication plan
+
+## Review your objectives and business case with stakeholders
+
+Review your original objectives and business case with your key stakeholders to ensure your outcomes have been met and to ensure your expected value has been achieved.
+
+## Need additional guidance?
+
+If you need assistance with your Windows Autopatch deployment journey, you have the following support options:
+
+- Microsoft Account Team
+- [Microsoft FastTrack](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request#microsoft-fasttrack)
+- Windows Autopatch Service Engineering Team
+    - [Tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md)
+    - [General support request](../operate/windows-autopatch-support-request.md)
+
+First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team.  
+
+### Windows Autopatch Private Community (APC)
+
+Once you're underway with your deployment, consider joining the [Windows Autopatch Private Community (APC)](https://aka.ms/WindowsAutopatchPrivateCommunity) where you can:
+
+- Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers
+- Gain access to:
+    - Exclusive virtual meetings
+    - Focus groups
+    - Surveys
+    - Teams discussions
+    - Previews
+
+### Windows Autopatch Technology Adoption Program (TAP)  
+
+If you have at least 500 devices enrolled in the service, and will test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 66e6fd2e1d..54d107d92d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -31,10 +31,10 @@ sections:
           Autopatch isn't available for 'A' or 'F' series licensing.
       - question: Will Windows Autopatch support local domain join Windows 10?
         answer: | 
-          Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+          Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
       - question: Will Windows Autopatch be available for state and local government customers?
         answer: |
-          Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported.
+          Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported.
       - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service?
         answer: |
           Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch.
@@ -111,7 +111,7 @@ sections:
           No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-windows-quality-update-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
       - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership?
         answer: |
-          Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
+          Windows Autopatch doesn't support managing update deployment ring membership using your Microsoft Entra groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
       - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring?
         answer: |
           The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) would roll out more rapidly.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 0ce2010fe7..043db6fb77 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -23,13 +23,13 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep e
 
 Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.
 
-The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.
+The sources include Microsoft Entra ID, Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.
 
 | Data source | Purpose |
 | ------ | ------ |
 | [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |
 | [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
-| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:<br><ul><li>[Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:<br><ul><li>[Microsoft Entra ID](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
 | [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. |
 | [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
 
@@ -90,9 +90,11 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func
 
 Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
 
-## Microsoft Azure Active Directory
+<a name='microsoft-azure-active-directory'></a>
 
-Identifying data used by Windows Autopatch is stored by Azure Active Directory (AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
+## Microsoft Entra ID
+
+Identifying data used by Windows Autopatch is stored by Microsoft Entra ID in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Microsoft Entra data is located, see [Microsoft Entra ID - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
 
 ## Microsoft Intune
 
@@ -136,7 +138,7 @@ For DSRs from other products related to the service, see the following articles:
 
 - [Windows diagnostic data](/compliance/regulatory/gdpr-dsr-windows)
 - [Microsoft Intune data](/compliance/regulatory/gdpr-dsr-intune)
-- [Azure Active Directory data](/compliance/regulatory/gdpr-dsr-azure)
+- [Microsoft Entra data](/compliance/regulatory/gdpr-dsr-azure)
 
 ## Legal
 
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 1a0e660f16..5ac998067b 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -1,7 +1,7 @@
 ---
 title: Roles and responsibilities
 description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 08/08/2023
+ms.date: 08/31/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -30,6 +30,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
 | Review the [FAQ](../overview/windows-autopatch-faq.yml) | :heavy_check_mark: | :x: |
 | [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
+| Consult the [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | :heavy_check_mark: | :x: |
 | Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
 | Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
 | Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
@@ -38,6 +39,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | [Manage and respond to tenant enrollment support requests](../prepare/windows-autopatch-enrollment-support-request.md) | :x: | :heavy_check_mark: |
 | Identify stakeholders for deployment communications | :heavy_check_mark: | :x: |
 
+For more information and assistance with preparing for your Windows Autopatch deployment journey, see [Need additional guidance](../overview/windows-autopatch-deployment-guide.md#need-additional-guidance).
+
 ## Deploy
 
 | Task | Your responsibility | Windows Autopatch |
@@ -46,13 +49,13 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
 | Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Edge end user experience](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
 | Review network optimization<ul><li>[Prepare your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization) | :heavy_check_mark: | :x: |
-| Review existing configurations<ul><li>Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul>|  :heavy_check_mark: | :x: |
+| Review existing configurations<ul><li>Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</li></ul>|  :heavy_check_mark: | :x: |
 | Confirm your update service needs and configure your workloads<ul><li>[Turn on or off expedited Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases)</li><li>[Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)</li><li>[Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../operate/windows-autopatch-windows-update.md)</li><li>Decide your [Windows feature update versions(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li></ul>| :heavy_check_mark: | :x: |
 | [Consider your Autopatch groups distribution](../deploy/windows-autopatch-groups-overview.md)<ul><li>[Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
 | [Register devices](../deploy/windows-autopatch-register-devices.md)<ul><li>[Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)</li><li>[Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
 | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
 | Automatically assign devices to deployment rings at device registration<ul><li>[Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul>| :x: | :heavy_check_mark: |
-| Remediate registration issues<ul><li>[For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li></ul> | :heavy_check_mark: | :x: |
+| Remediate registration issues<ul><li>[For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)</li><li>[For devices with conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)</li></ul> | :heavy_check_mark: | :x: |
 | Populate the Test and Last deployment ring membership<ul><li>[Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
 | [Manually override device assignments to deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
 | Review device conflict scenarios<ul><li>[Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)</li><li>[Device conflict across different Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-across-different-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
@@ -83,11 +86,11 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
 | [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
 | Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
-| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul> | :heavy_check_mark: | :x: |
-| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul>
+| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</ul> | :heavy_check_mark: | :x: |
+| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li><li>have [conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)</li></ul>
 | [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
 | [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
-| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: |
+| [Register a device that was previously excluded](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: |
 | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
 | [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
 | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 3813ee70ef..c7695ea433 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -1,7 +1,7 @@
 ---
 title: Configure your network
 description: This article details the network configurations needed for Windows Autopatch
-ms.date: 05/30/2022
+ms.date: 09/15/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -44,7 +44,7 @@ There are URLs from several Microsoft products that must be in the allowed list
 | ----- | ----- |
 | Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)<p><p>[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)</p><p>[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)</p><p>[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)</p>|
 | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) |
-| Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
+| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
 | Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p>
 | Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) |
 | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index afe28158bc..95f0ed85fc 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -1,7 +1,7 @@
 ---
 title: Enroll your tenant
 description: This article details how to enroll your tenant
-ms.date: 07/11/2022
+ms.date: 09/15/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -33,7 +33,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
 > [!IMPORTANT]
 > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the  tool again.
 
-The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Microsoft Entra ID](#azure-active-directory-settings) (Microsoft Entra ID) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
 
 **To access and run the Readiness assessment tool:**
 
@@ -56,9 +56,11 @@ The following are the Microsoft Intune settings:
 | ----- | ----- |
 | Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
 
-### Azure Active Directory settings
+<a name='azure-active-directory-settings'></a>
 
-The following are the Azure Active Directory settings:
+### Microsoft Entra settings
+
+The following are the Microsoft Entra settings:
 
 | Check | Description |
 | ----- | ----- |
@@ -74,7 +76,7 @@ For each check, the tool reports one of four possible results:
 | Ready | No action is required before completing enrollment. |
 | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
 | Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them.  |
-| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
+| Error | The Microsoft Entra role you're using doesn't have sufficient permissions to run this check. |
 
 ## Step 3: Fix issues with your tenant
 
@@ -104,7 +106,7 @@ Once these actions are complete, you've now successfully enrolled your tenant.
 
 You can choose to delete the data we collect directly within the Readiness assessment tool.
 
-Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a deidentified form.
+Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Microsoft Entra organization (tenant). After 12 months, we retain the data in a deidentified form.
 
 > [!NOTE]
 > Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 39f30591e9..8acdf328e5 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -31,10 +31,10 @@ For each check, the tool reports one of four possible results:
 | Ready | No action is required before completing enrollment. |
 | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
 | Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them.  |
-| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
+| Error | The Microsoft Entra role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
 
 > [!NOTE]
-> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
+> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
 
 ## Microsoft Intune settings
 
@@ -48,9 +48,11 @@ Your "Update rings for Windows 10 or later" policy in Intune must not target any
 | ----- | ----- |
 | Advisory |  You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch creates our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.</p>|
 
-## Azure Active Directory settings
+<a name='azure-active-directory-settings'></a>
 
-You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/).
+## Microsoft Entra settings
+
+You can access Microsoft Entra settings in the [Azure portal](https://portal.azure.com/).
 
 ### Co-management
 
@@ -66,4 +68,4 @@ Windows Autopatch requires the following licenses:
 
 | Result | Meaning |
 | ----- | ----- |
-| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
+| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 90e7324a39..b0df16842e 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -21,9 +21,9 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
 
 | Area | Prerequisite details |
 | ----- | ----- |
-| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
+| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
 | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
-| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
+| Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.<br><ul><li>For more information, see [Microsoft Entra Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Microsoft Entra hybrid join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Microsoft Entra Connect versions, see [Microsoft Entra Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
 | Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.<p>For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).</p> |
 | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). |
 
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index f0c9059f9c..30030ec7cc 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -34,13 +34,15 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 
 ### Service principal
 
-Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
+Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
 
 - Modern Workplace Customer APIs
 
-## Azure Active Directory groups
+<a name='azure-active-directory-groups'></a>
 
-Windows Autopatch will create the required Azure Active Directory groups to operate the service.
+## Microsoft Entra groups
+
+Windows Autopatch will create the required Microsoft Entra groups to operate the service.
 
 The following groups target Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
 
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
new file mode 100644
index 0000000000..865f6c15c9
--- /dev/null
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
@@ -0,0 +1,153 @@
+---
+title: Conflicting configurations
+description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service.
+ms.date: 09/05/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Conflicting configurations (public preview)
+
+> [!IMPORTANT]
+> This feature is in **public preview**. The feature is being actively developed and might not be complete.
+
+During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state.  
+
+Windows Autopatch monitors conflicting configurations. You’re notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it’s possible that other services write back the registry keys. It’s recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.  
+
+The most common sources of conflicting configurations include:
+
+- Active Directory Group Policy (GPO)
+- Configuration Manager Device client settings
+- Windows Update for Business (WUfB) policies
+- Manual registry updates  
+- Local Group Policy settings applied during imaging (LGPO)
+
+## Registry keys inspected by Autopatch
+
+```cmd
+Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations Value=Any
+Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess Value=Any
+Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer String=Any
+Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer Value=Any
+Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate Value=Any
+```
+
+## Resolving conflicts
+
+Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed clients.
+
+> [!IMPORTANT]
+> **It’s recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that aren’t managed by Windows Autopatch, be sure to target accordingly.
+
+### Intune Remediation
+
+Navigate to Intune Remediations and create a remediation using the following examples. It’s recommended to create a single remediation per value to understand if the value persists after removal.  
+
+If you use either [**Detect**](#detect) and/or [**Remediate**](#remediate) actions, ensure to update the appropriate **Path** and **Value** called out in the Alert. For more information, see [Remediations](/mem/intune/fundamentals/remediations).
+
+#### Detect
+
+```powershell
+if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') {  
+    Exit 1 
+} else { 
+    exit 0 
+} 
+```
+
+| Alert details | Description |
+| ----- | ----- |
+| Path | `HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` |
+| Value | `DoNotConnectToWindowsUpdateInternetLocations` |
+
+#### Remediate
+
+```powershell
+if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') { 
+    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations" 
+} 
+```
+
+| Alert details | Description |
+| ----- | ----- |
+| Path | `HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` |
+| Value | `DoNotConnectToWindowsUpdateInternetLocations` |
+
+### PowerShell
+
+Copy and paste the following PowerShell script into PowerShell or a PowerShell editor, and save it with a `.ps1` extension. For more information, see [Remove-ItemProperty (Microsoft.PowerShell.Management)](/powershell/module/microsoft.powershell.management/remove-itemproperty).
+
+```powershell
+Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
+Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DisableWindowsUpdateAccess"
+Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer"
+Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer"
+Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate"
+```
+
+### Batch file
+
+Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see [Using batch files: Scripting; Management Services](/previous-versions/windows/it-pro/windows-server-2003/cc758944(v=ws.10)?redirectedfrom=MSDN).
+
+```cmd
+@echo off
+echo Deleting registry keys...
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /f
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /f
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /f
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f
+echo Registry keys deleted.
+Pause
+```
+
+### Registry file
+
+Copy the following code to a Notepad file, save as a `.reg` extension, and execute against affected devices. This removes registry keys that affect the Windows Autopatch service. For more information, see [How to add, modify, or delete registry subkeys and values by using a .reg file](https://support.microsoft.com/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23).
+
+```cmd
+Windows Registry Editor Version 5.00
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
+"DoNotConnectToWindowsUpdateInternetLocations"=-
+"DisableWindowsUpdateAccess"=-
+"WUServer"=-
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
+"UseWUServer"=-
+"NoAutoUpdate"=-
+```
+
+## Common sources of conflicting configurations
+
+The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn’t an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly.
+
+### Group Policy management
+
+Group Policy management is the most popular client configuration tool in most organizations. For this reason, it’s most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.
+
+1. Launch an Elevated Command Prompt and enter `RSOP`.
+1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**
+1. If a Policy **doesn’t exist** in Windows Update, then it appears to not be Group Policy.
+1. If a Policy **exists** in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert.
+1. If the **Policy name** is labeled **Local Group Policy**, these settings could have been applied during imaging or by Configuration Manager.
+
+### Configuration Manager
+
+Configuration Manager is a common enterprise management tool that, among many things, can help manage Windows Updates. For this reason, we see many environments misconfigured when moving to either a 100% cloud or co-managed workloads even when the workloads are configured correctly. The client settings are often missed. For more information, see [About client settings and software updates](/mem/configmgr/core/clients/deploy/about-client-settings#software-updates).
+
+1. Go the **Microsoft Endpoint Configuration Manager Console**.
+1. Navigate to **Administration** > **Overview** > **Client Settings**.  
+1. Ensure **Software Updates** isn’t configured. If configured, it’s recommended to remove these settings to prevent conflicts with Windows Autopatch.
+
+## Third-party solutions
+
+Third-party solutions can include any other product that may write configurations for the devices in question, such as MDMs (Mobile Device Managers) or Policy Managers.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
index 00eb8bc49b..21d90312fd 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
@@ -26,4 +26,4 @@ Capitalized terms used but not defined herein have the meanings given in the Pro
 
 ## Data Handling
 
-Driver and Firmware Updates Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Driver and Firmware Updates Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Driver and Firmware Updates Preview apply to that data.
+Driver and Firmware Updates Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Microsoft Entra ID, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Driver and Firmware Updates Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Driver and Firmware Updates Preview apply to that data.
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 73fc735624..e800c3533c 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 08/17/2023 
+ms.date: 10/19/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -21,15 +21,50 @@ This article lists new and updated feature releases, and service releases, with
 
 Minor corrections such as typos, style, or formatting issues aren't listed.
 
+## October 2023
+
+## October service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC680344](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service Improvements |
+
+## September 2023
+
+### September feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Conflicting configurations](../references/windows-autopatch-conflicting-configurations.md) | New feature. This article explains how to remediate conflicting configurations<ul><li>[MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
+
+### September service releases
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update |
+| [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center |
+| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
+| [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
+
 ## August 2023
 
 ### August feature releases or updates
 
 | Article | Description |
 | ----- | ----- |
+| [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | New guide. This guide explains how to successfully deploy Windows Autopatch in your environment |
+| [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added the **This pause is related to Windows Update** option to the [Pause and resume a release feature](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) |
+| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)| Added [policy settings](../operate/windows-autopatch-manage-driver-and-firmware-updates.md#view-driver-and-firmware-policies-created-by-windows-autopatch) for all deployment rings |
+| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | General Availability<ul><li>[MC661218](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
 | [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature <ul><li>[MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
 | [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
 
+### August service releases
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch Service Improvements |
+
 ## July 2023
 
 ### July feature releases or updates
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index b8fb1254fb..211570e4b0 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -1,67 +1,3 @@
-items:
-  - name: Docs
-    tocHref: /
-    topicHref: /
-    items:
-      - name: Windows
-        tocHref: /windows/
-        topicHref: /windows/resources/
-        items:
-          - name: What's new
-            tocHref: /windows/whats-new/
-            topicHref: /windows/whats-new/
-          - name: Configuration
-            tocHref: /windows/configuration/
-            topicHref: /windows/configuration/
-          - name: Deployment
-            tocHref: /windows/deployment/
-            topicHref: /windows/deployment/
-            items:
-              - name: Delivery Optimization
-                tocHref: /windows/deployment/do/
-                topicHref: /windows/deployment/do/
-          - name: Application management
-            tocHref: /windows/application-management/
-            topicHref: /windows/application-management/
-          - name: Client management
-            tocHref: /windows/client-management/
-            topicHref: /windows/client-management/
-            items:
-              - name: CSP reference
-                tocHref: /windows/client-management/mdm/
-                topicHref: /windows/client-management/mdm/
-          - name: Privacy
-            tocHref: /windows/privacy/
-            topicHref: /windows/privacy/
-          - name: Security
-            tocHref: /windows/security/
-            topicHref: /windows/security/
-            items:
-              - name: Hardware security
-                tocHref: /windows/security/hardware-security/
-                topicHref: /windows/security/hardware-security/
-              - name: Operating system security
-                tocHref: /windows/security/operating-system-security/
-                topicHref: /windows/security/operating-system-security/
-              - name: Identity protection
-                tocHref: /windows/security/identity-protection/
-                topicHref: /windows/security/identity-protection/
-              - name: Application security
-                tocHref: /windows/security/application-security/
-                topicHref: /windows/security/application-security/
-                items:
-                  - name: Application Control for Windows
-                    tocHref: /windows/security/application-security/application-control/windows-defender-application-control/
-                    topicHref: /windows/security/application-security/application-control/windows-defender-application-control/
-                  - name: Microsoft Defender Application Guard
-                    tocHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/
-                    topicHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
-              - name: Security foundations
-                tocHref: /windows/security/security-foundations/
-                topicHref: /windows/security/security-foundations/
-              - name: Security auditing
-                tocHref: /windows/security/threat-protection/auditing/
-                topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
-              - name: Security policy settings
-                tocHref: /windows/security/threat-protection/security-policy-settings/
-                topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
\ No newline at end of file
+- name: Windows
+  tocHref: /windows/
+  topicHref: /windows/index
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 4d3e1900ea..83dda7c0fe 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -15,7 +15,7 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 06/20/2023
+  ms.date: 09/26/2023
 
 highlightedContent:
   items:
@@ -34,15 +34,19 @@ highlightedContent:
   - title: Windows commercial licensing
     itemType: overview
     url: /windows/whats-new/windows-licensing
+  - title: Copilot in Windows
+    itemType: how-to-guide
+    url: /windows/client-management/manage-windows-copilot
   - title: Windows 365 documentation
     itemType: overview
     url: /windows-365
   - title: Explore all Windows trainings and learning paths for IT pros
     itemType: learn
     url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
-  - title: Enroll Windows client devices in Microsoft Intune
-    itemType: how-to-guide
-    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
+
+#  - title: Enroll Windows client devices in Microsoft Intune
+#    itemType: how-to-guide
+#    url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
 
 productDirectory:
   title: Get started
@@ -69,10 +73,10 @@ productDirectory:
       links:
         - url: /windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines
           text: Windows security baselines
-        - url: /windows/security/identity-protection/credential-guard/credential-guard-how-it-works
-          text: Windows Defender Credential Guard
-        - url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust
-          text: Windows Hello for Business cloud Kerberos trust
+        - url: /windows/security/identity-protection/hello-for-business
+          text: Windows Hello for Business
+        - url: /windows/security/identity-protection/web-sign-in
+          text: Web sign-in for Windows
         - url: /windows/security/threat-protection/windows-defender-application-control
           text: Windows Defender Application Control (WDAC)
         - url: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
@@ -105,8 +109,8 @@ productDirectory:
           text: Configuration Service Provider (CSP)
         - url: /windows/client-management/administrative-tools-in-windows-10
           text: Windows administrative tools
-        - url: /windows/client-management/client-tools/quick-assist
-          text: Use Quick Assist to help users
+        - url: /windows/client-management/manage-windows-copilot
+          text: Manage Copilot in Windows
         - url: /windows/application-management/index
           text: Learn more about application management >
         - url: /windows/client-management
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 82b280bbf7..5187258157 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 12/13/2018
 ms.topic: how-to
 ---
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index d94dfccb33..4efbc4d3f5 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/27/2017
 ms.topic: reference
 ---
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index e5c6bbb3a2..eea8e6ddd5 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/27/2017
 ms.topic: reference
 ---
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index c94b44464a..a8356f8456 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/27/2017
 ms.topic: reference
 ---
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 8c7588deb0..3d03e6bc7b 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -7,7 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.topic: reference
 ---
 
@@ -1749,6 +1749,30 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -2148,7 +2172,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -2156,7 +2180,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsDomainJoined**  Indicates whether a machine is joined to a domain.
@@ -2164,7 +2188,7 @@ The following fields are available:
 - **IsMDMEnrolled**  Whether the device has been MDM Enrolled or not.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
@@ -2586,6 +2610,17 @@ The following fields are available:
 
 ## Code Integrity events
 
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.AutoEnablementIsBlocked
+
+Indicates if OEM attempted to block autoenablement via regkey.
+
+The following fields are available:
+
+- **BlockHvciAutoenablement**  True if auto-enablement was successfully blocked, false otherwise.
+- **BlockRequested**  Whether an autoenablement block was requested.
+- **Scenario**  Used to differentiate VBS and HVCI paths.
+
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Compatibility
 
 Fires when the compatibility check completes. Gives the results from the check.
@@ -2596,6 +2631,18 @@ The following fields are available:
 - **Issues**  If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement).
 
 
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled
+
+Fires when auto-enablement is successful and HVCI is being enabled on the device.
+
+The following fields are available:
+
+- **Error**  Error code if there was an issue during enablement
+- **Scenario**  Indicates whether enablement was for VBS vs HVCI
+- **SuccessfullyEnabled**  Indicates whether enablement was successful
+- **Upgrade**  Indicates whether the event was fired during upgrade (rather than clean install)
+
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity
 
 Fires at the beginning and end of the HVCI auto-enablement process in sysprep.
@@ -3368,7 +3415,7 @@ The following fields are available:
 - **ClientID**  Client ID being run.
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
-- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the AAD (Azure Active Directory) domain.
+- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the Microsoft Entra domain.
 - **IsDeviceADDomainJoined**  Indicates whether the device is logged in to the AD (Active Directory) domain.
 - **IsDeviceCloverTrail**  Indicates whether the device has a Clover Trail system installed.
 - **IsDeviceFeatureUpdatingPaused**  Indicates whether Feature Update is paused on the device.
@@ -5756,6 +5803,44 @@ The following fields are available:
 - **totalRuns**  Total number of running/evaluation from last time.
 
 
+## Other events
+
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **HeartbeatType**  Enum of the reason the heartbeat is collected
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender)
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
+
+### Microsoft.Windows.SecureBootTelemetry.SecureBootEncodeUEFI
+
+Information about Secure Boot configuration including the PK, KEKs, DB and DBX files on the device.
+
+The following fields are available:
+
+- **SecureBootUEFIEncoding**  Information about the PK, KEKs, DB and DBX files on the device.
+
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -6633,7 +6718,7 @@ The following fields are available:
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
@@ -6757,7 +6842,7 @@ The following fields are available:
 - **CallerApplicationName**  The name provided by the application that initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Indicates whether the download was a full- or a partial-file download.
 - **CbsMethod**  The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior.
@@ -9667,10 +9752,10 @@ The following fields are available:
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  Counts the events at the global level for telemetry.
 - **PackageVersion**  The package version for currency tools.
-- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is AAD joined.
+- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceInDssPolicy**  Boolean indicating whether the device is found to be in a DSS policy.
 - **UnifiedInstallerDeviceInDssPolicyHresult**  The result code for checking whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is AADJ.
+- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceIsAdJoined**  Boolean indicating whether a device is AD joined.
 - **UnifiedInstallerDeviceIsAdJoinedHresult**  The result code for checking whether a device is AD joined.
 - **UnifiedInstallerDeviceIsEducationSku**  Boolean indicating whether a device is Education SKU.
@@ -9752,7 +9837,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
 
-This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure.
+This event is sent when the device is not Microsoft Entra joined. The data collected with this event is used to help keep Windows up to date and secure.
 
 The following fields are available:
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 2b7ee3b4fa..9ae71c39f5 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 localizationpriority: medium
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/27/2017
 ms.topic: reference
 ---
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 01ea346024..945499c4b7 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 06/04/2020
 ms.topic: conceptual
 ---
@@ -70,61 +70,17 @@ For more info, see [Configure Windows diagnostic data in your organization](conf
 
 Customers who use services that depend on Windows diagnostic data, such as [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data), may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
 
-## Significant changes coming to the Windows diagnostic data processor configuration
-
-Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
-
-To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
-
-***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.***
-
-We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
-
-### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
-
-For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
-
-From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
-
-### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
-
-For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
-
-- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
-- [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview)
-- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
-- [Microsoft Managed Desktop](/managed-desktop/intro/)
-- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview)
-
-*(Additional licensing requirements may apply to use these services.)*
-
-If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
+## Significant change to the Windows diagnostic data processor configuration
 
 > [!NOTE]
-> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+> The information in this section applies to the following versions of Windows:
+> - Windows 10, versions 20H2, 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, and newer
 
-### Rollout plan for this change
+Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration.
 
-This change will rollout in phases, starting  with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
+Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined.
 
-During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
+We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](/privacy/eudb/eu-data-boundary-learn).
 
-- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
-- The processor configuration will be disabled in any devices that were previously enabled.
-- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
-
-For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-For other Windows devices (not in the Dev Channel), the change will rollout with the January 2023 release preview cumulative update for Windows 10 versions 20H2, 21H2 and 22H2, and Windows 11 versions 21H2 and 22H2.
-
-To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
-
-As part of this change, the following policies will no longer be supported to configure the processor option:
- - Allow commercial data pipeline
- - Allow Desktop Analytics Processing
- - Allow Update Compliance Processing
- - Allow WUfB Cloud Processing
- - Allow Microsoft Managed Desktop Processing
- - Configure the Commercial ID
+For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration).
\ No newline at end of file
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 17cd1c6c1d..3c8c0f57d5 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/11/2016
 ms.collection: highpri
 ms.topic: conceptual
@@ -321,10 +321,12 @@ For the best experience, use the most current build of any operating system spec
 The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable:
 
 - us-v10c.events.data.microsoft.com (eu-v10c.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
-- umwatsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
+- watsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
 - settings-win.data.microsoft.com
 - *.blob.core.windows.net
 
+Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their diagnostic data is processed initially in Europe, but those tenants aren't considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn).
+
 >[!Note]
 > - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled.
 > - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions.
@@ -342,20 +344,16 @@ Starting with the January 2023 preview cumulative update, how you enable the pro
 
 For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
 
-> [!NOTE]
-> The Windows diagnostic data processor configuration has components for which work is in progress to be included in the EU Data Boundary, but completion of this work is delayed beyond January 1, 2023. These components will be included in the EU Data Boundary in the coming months. In the meantime, Microsoft will temporarily transfer data out of the EU Data Boundary as part of service operations to ensure uninterrupted operation of the services customers signed up for.
-
 From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
 
 #### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
 
 For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
 
-- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
 - [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview)
 - [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
-- [Microsoft Managed Desktop](/managed-desktop/intro/)
-- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview)
+- [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview)
+- [Windows updates reports (in Microsoft Intune)](/mem/intune/protect/data-enable-windows-data#windows-data)
 
 *(Additional licensing requirements may apply to use these services.)*
 
diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md
new file mode 100644
index 0000000000..55b0a3386a
--- /dev/null
+++ b/windows/privacy/copilot-supplemental-terms.md
@@ -0,0 +1,70 @@
+---
+title: COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS 
+description: The Supplemental Terms for Copilot in Windows (Preview)
+ms.prod: windows-client
+ms.technology: itpro-privacy
+ms.localizationpriority: medium
+author: DHB-MSFT
+ms.author: danbrown
+manager: laurawi
+ms.date: 09/20/2023
+ms.topic: conceptual
+hideEdit: true
+layout: ContentPage
+ROBOTS: NOINDEX, NOFOLLOW
+feedback_system: None
+---
+
+# COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
+
+Copilot in Windows is your AI companion that brings productivity to your fingertips. Leveraging Bing Chat or Bing Chat Enterprise, Copilot in Windows accelerates your tasks, reduces friction, saves you time and provides you with personalized answers, inspiration and task assistance. Your use of Copilot in Windows is subject to these supplemental terms of use (“Terms”). By using Copilot in Windows you agree to be bound by these Terms.
+
+1. Preview
+
+    a. COPILOT IN WINDOWS IS A PREVIEW FEATURE AND IS PROVIDED “AS-IS,” “WITH ALL FAULTS,” AND “AS AVAILABLE".  
+
+    b. Microsoft makes no guarantees or promises about how Copilot in Windows operates or that it will function as intended.
+
+2. Eligibility and Use Requirements.
+
+    a. You must be signed into Windows with your Microsoft account to access Copilot in Windows.  
+
+    b. If you're signed into Windows with your work or school account, your organization may have given you the ability to use Copilot in Windows. If you have access to Copilot in Windows but your organization hasn't enabled Bing Chat Enterprise, your use will be limited to Bing Chat’s current turn limit.
+
+    c. Along with these Terms, your use of Copilot in Windows is also governed by the Microsoft Services Agreement, which is incorporated by reference. You agree that Copilot in Windows constitutes a Service, as defined in the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). If there's any conflict between these Terms and the Microsoft Services Agreement, the conflicting provision in these Terms will control.
+
+3. Bing Chat
+
+    a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chat’s terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247757).  
+
+    b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprise’s terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247908).
+
+4. Using Copilot in Windows
+
+    a. Copilot in Windows may allow you to submit text inputs and converse with an online computer-powered chatbot and in certain circumstances generate text content or image content. Your use of Copilot in Windows must comply with the Code of Conduct section of the Microsoft Services Agreement and the Bing Chat Code of Conduct or Bing Chat Enterprise Content Policy.
+
+    b. Copilot in Windows may allow you to change some of your Windows settings based on the text you submit into Copilot in Windows. Additionally, when you copy text in other apps while Copilot in Windows is open, it may automatically prompt you with suggestions to send the copied text to the chat and offer further suggestions of what you can do with that text.
+
+    c. You can consent to letting Copilot in Windows access your Microsoft Edge webpage content. This allows Copilot in Windows to provide relevant responses by accessing content from your active foreground Edge tab. This can be adjusted anytime in Copilot in Windows settings.
+
+5. Data
+
+    a. All data processed by Copilot in Windows, including voice input data, will be processed according to the Microsoft Privacy Statement.
+
+6. Ownership of Content
+
+    a. Microsoft doesn't claim ownership of any content you provide, post, input, or submit to, or receive from, Copilot in Windows, Bing Chat, or Bing Chat Enterprise (including feedback and suggestions). You'll need to make your own determination regarding the intellectual property rights you have in output content and its commercial usability, taking into account, among other things, your usage scenario(s) and the laws of the relevant jurisdiction. You warrant and represent that you or your organization owns or otherwise controls all of the rights to your content as described in these Terms including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the content.  
+
+7. Third-party claims
+
+    a. You're responsible for responding to any third-party claims regarding your use of Copilot in Windows in compliance with applicable laws (including, but not limited to, copyright infringement or other claims relating to output content that was output during your use of Copilot in Windows).
+
+8. Reverse engineering  
+
+    a. You may not use Copilot in Windows to discover any underlying components of the models, algorithms, or systems, such as exfiltrating the weights of models.
+
+9. Extracting data
+
+    a. You may not use web scraping, web harvesting, or web data extraction methods to extract data from Copilot in Windows or from any output content.
+
+10. **IF YOU LIVE IN (OR YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 15 OF THE MICROSOFT SERVICES AGREEMENT. IT AFFECTS HOW DISPUTES RELATING TO THIS AGREEMENT ARE RESOLVED.**
\ No newline at end of file
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index ea7edc20e5..df75c73dc5 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/09/2018
 ms.collection: highpri
 ms.topic: how-to
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 44e5b9392e..35522da4b4 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -57,7 +57,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",        
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
       "searchScope": ["Windows 10"]
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 4810a1dd57..b8bd28080f 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 10/12/2017
 ms.topic: reference
 ---
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index fb53b23a7e..a16d53210c 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 06/28/2021
 ms.collection: highpri
 ms.topic: reference
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index ae7788c4a1..a6892742ba 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -12,7 +12,7 @@ metadata:
   ms.collection: highpri
   author: DHB-MSFT
   ms.author: danbrown
-  manager: dougeby
+  manager: laurawi
   ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
   ms.localizationpriority: high
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 5494398cf6..cf953e1759 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 05/15/2019
 ms.topic: conceptual
 ---
@@ -156,6 +156,8 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
    1. Windows Update Allow Update Service - [Update/AllowUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
    1. Windows Update Service URL - [Update/UpdateServiceUrl](/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
       1. **\<Replace>\<CmdID>$CmdID$</CmdID>\<Item>\<Meta>\<Format>chr</Format>\<Type>text/plain</Type>\</Meta>\<Target> \<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>\</Target>\<Data>http://abcd-srv:8530</Data>\</Item>\</Replace>**
+28. **Recommendations** </br>
+   a. [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP). To hide a list of recommended apps and files in the Recommended section on the Start menu.
 
 ### <a href="" id="bkmk-mdm-allowedtraffic"></a> Allowed traffic for Microsoft Intune / MDM configurations
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index ab319962f8..c487f33918 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/07/2016
 ms.collection: highpri
 ms.topic: conceptual
@@ -113,6 +113,7 @@ The following table lists management options for each setting,  For Windows 10 (
 | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) |  |
 | [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [32. Widgets](#bkmk-widgets) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [33. Recommendations](#33-recommendations) |![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 
 
 ### Settings for Windows Server 2016 with Desktop Experience
@@ -1923,6 +1924,16 @@ To turn off Widgets, you can use Group Policy or a custom setting in an MDM solu
 
 For more information about AllowNewsAndInterests and the “Allow widgets” policy, [review this information](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests).
 
+### 33. Recommendations
+
+The Recommended section on the Start menu displays a list of recommended apps and files.
+
+To turn off these recommendations, you can use any of the following methods:
+
+- In Group Policy, set the "Remove Recommended from Start Menu" policy to Enabled under **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
+- In an MDM solution, such as Microsoft Intune, you can use the [HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) setting in the Start Policy configuration service provider (CSP).
+- In the registry, you can set **HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs** to 0.
+- In the UI, you can turn off **Show recently opened items in Start, Jump Lists, and File Explorer** under **Settings** > **Personalization** > **Start**.
 
 ### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
 
@@ -1933,5 +1944,4 @@ For more information about AllowNewsAndInterests and the “Allow widgets” pol
 |ocsp.digicert.com/*|
 |www.microsoft.com/pkiops/*|
 
-
 To learn more, see [Device update management](/windows/client-management/mdm/device-update-management) and [Configure Automatic Updates by using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index ae9fabcf1a..79bba0d70f 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 06/23/2023
+ms.date: 10/06/2023
 ms.topic: reference
 ---
 
@@ -34,7 +34,7 @@ The following methodology was used to derive these network endpoints:
 2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory.
+5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Microsoft Entra ID.
 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -54,6 +54,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
 |Certificates|||[Learn how to turn off traffic to all of the following endpoint(s) for certificates.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 ||Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. |TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|||HTTP|ocsp.digicert.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s) for Cortana and Live Tiles.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
 |||HTTPS|business.bing.com|
@@ -66,11 +67,20 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|dual-s-ring.msedge.net|
 |||HTTP|creativecdn.com|
 |||HTTP|edgeassetservice.azureedge.net|
+|||HTTP|r.bing.com|
+|||HTTPS|a-ring-fallback.msedge.net|
+|||HTTPS|fp-afd-nocache-ccp.azureedge.net|
+|||TLSv1.2|prod-azurecdn-akamai-iris.azureedge.net|
+|||TLSv1.2|widgetcdn.azureedge.net|
+|||TLSv1.2|widgetservice.azurefd.net|
 |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s) for device authentication.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*|
 |Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s) for device metadata.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
 ||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
 |Diagnostic Data| ||[Learn how to turn off traffic to all of the following endpoint(s) for diagnostic data.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2|functional.events.data.microsoft.com|
+|||HTTP|browser.events.data.msn.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
 ||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|self.events.data.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
@@ -89,6 +99,13 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTPS|weathermapdata.blob.core.windows.net|
 |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft account.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
 ||The following endpoint is used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS/HTTP|login.live.com|
+|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|||TLSv1.2/HTTP|ping-edge.smartscreen.microsoft.com|
+|||HTTP|data-edge.smartscreen.microsoft.com|
+|||TLSv1.2|nav-edge.smartscreen.microsoft.com|
 |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Edge.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
 |||TLSv1.2/HTTP|edge.microsoft.com|
 |||TLSv1.2/HTTP|windows.msn.com|
@@ -106,14 +123,13 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|share.microsoft.com|
 ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
 |Microsoft To Do|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft To Do.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
-|||HTTP|staging.to-do.microsoft.com|
+||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.microsoft.com|
 |||TLSv1.2/HTTP|to-do.microsoft.com|
 |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s) for Network Connection Status Indicator (NCSI).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
 ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the internet, and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
 |||HTTP|ipv6.msftconnecttest.com|
 |Office|||[Learn how to turn off traffic to all of the following endpoint(s) for Office.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
+||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
 |||HTTPS|blobs.officehome.msocdn.com|
 |||HTTPS|officehomeblobs.blob.core.windows.net|
 |||HTTPS|self.events.data.microsoft.com|
@@ -121,6 +137,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|officeclient.microsoft.com|
 |||HTTP|ecs.nel.measure.office.net|
 |||HTTPS/HTTP|telecommandstorageprod.blob.core.windows.net|
+|||TLSv1.2|odc.officeapps.live.com|
 |OneDrive|||[Learn how to turn off traffic to all of the following endpoint(s) for OneDrive.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
 ||The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|TLSv1.2/HTTPS/HTTP|g.live.com|
 |||HTTP|onedrive.live.com|
@@ -136,10 +153,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 ||The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
 |||HTTP|teams.live.com|
 |||TLSv1.2/HTTP|teams.events.data.microsoft.com|
-|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
-||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|HTTPS/TLSv1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
-|||HTTPS/HTTP|checkappexec.microsoft.com|
+|||HTTP|statics.teams.cdn.live.net|
 |Windows Spotlight|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
 ||The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. |TLSv1.2/HTTPS/HTTP|arc.msn.com|
 |||HTTPS|ris.api.iris.microsoft.com|
@@ -150,7 +164,9 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 |||HTTP|srtb.msn.com|
 |||TLSv1.2/HTTP|www.msn.com|
 |||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
+|||TLSv1.2|staticview.msn.com|
 |Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2|definitionupdates.microsoft.com|
 ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
 |||HTTP|emdl.ws.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
@@ -160,9 +176,10 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
 ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
 ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoint is used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
+||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
+|||TLSv1.2|da.xboxservices.com|
 
 ## Related links
 
 - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
+- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 4f20129c27..8b7dd967e8 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index d83acf0faf..fe97fc1a69 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 71a9674bfc..118a25fb5c 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 9e492fa5e4..f6b643c76d 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index dbce1a6460..6d1f53fe97 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 9292ba3890..59568d1dd6 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index 423e60aac0..b43864a94f 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 01/18/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 02a50f6187..6ec3eb3ad7 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -8,7 +8,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.topic: reference
 ---
 
@@ -757,6 +757,30 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version.
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -967,7 +991,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -975,7 +999,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsEDPEnabled**  Represents if Enterprise data protected on the device.
@@ -2126,7 +2150,7 @@ The following fields are available:
 - **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
-- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
 - **appPingEventDownloadMetricsDownloader**  A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@@ -2253,6 +2277,31 @@ The following fields are available:
 - **windowInstanceId**  Unique value for each window instance.
 
 
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender.
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender).
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -2281,6 +2330,29 @@ The following fields are available:
 - **TargetPath**  (Optional) If the operation is a move, the target path to which the file or directory is being moved.
 
 
+### Microsoft.Windows.Setup.WinSetupMon.TraceError
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver.
+
+The following fields are available:
+
+- **Message**  Text string describing the error condition.
+- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **Status**  	NTSTATUS code related to the error.
+
+
+### Microsoft.Windows.Setup.WinSetupMon.TraceErrorVolume
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver, related to a specific volume (drive).
+
+The following fields are available:
+
+- **Message**  Text string describing the error condition.
+- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **Status**  NTSTATUS code related to the error.
+- **Volume**  Path of the volume on which the error occurs
+
+
 ### SetupPlatformTel.SetupPlatformTelEvent
 
 This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date.
@@ -3374,6 +3446,26 @@ The following fields are available:
 - **updateId**  Unique identifier for each update.
 
 
+### Microsoft.Windows.Update.Orchestrator.ScheduledScanBeforeInitialLogon
+
+Indicates that a scan before an initial logon is being scheduled
+
+The following fields are available:
+
+- **deferDurationInMinutes**  The delay in minutes until the scan for updates is performed.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
+
+
 ### Microsoft.Windows.Update.SIHClient.TaskRunCompleted
 
 This event is a launch event for Server Initiated Healing client.
@@ -3430,6 +3522,23 @@ The following fields are available:
 - **UusVersion**  The version of the Update Undocked Stack.
 
 
+### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityGeneral
+
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack
+
+The following fields are available:
+
+- **CallerName**  Name of the application making the Windows Update Request. Used to identify context of the request.
+- **EndpointUrl**  Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **RawMode**  Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **SLSPrograms**  A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult)
+- **UusVersion**  The version of the Update Undocked Stack
+
+
 ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
 
 This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -3482,7 +3591,4 @@ The following fields are available:
 - **ScenarioSupported**  Whether the updated scenario that was passed in was supported.
 - **SessionId**  The UpdateAgent “SessionId” value.
 - **UpdateId**  Unique identifier for the Update.
-- **WuId**  Unique identifier for the Windows Update client.
-
-
-
+- **WuId**  Unique identifier for the Windows Update client.
\ No newline at end of file
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 439810cc47..5a65ea94c0 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -7,7 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.collection: highpri
 ms.topic: reference
 ---
@@ -37,7 +37,6 @@ You can learn more about Windows functional and diagnostic data through these ar
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
-
 ## AppPlatform events
 
 ### AppPlatform.InstallActivity
@@ -157,7 +156,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser binary generating the events.
+- **AppraiserVersion** The version of the appraiser binary generating the events.
 - **SdbEntries**  Indicates if any matching compat Sdb entries are associated with this application
 
 
@@ -1182,6 +1181,19 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -1462,7 +1474,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -1470,7 +1482,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsEDPEnabled**  Represents if Enterprise data protected on the device.
@@ -1478,7 +1490,7 @@ The following fields are available:
 - **MDMServiceProvider**  A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
@@ -1941,6 +1953,7 @@ The following fields are available:
 
 - **wilActivity**  Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
 
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciAlreadyEnabled
 
 Fires when HVCI is already enabled so no need to continue auto-enablement.
@@ -2371,6 +2384,78 @@ The following fields are available:
 
 ## Diagnostic data events
 
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId**  BootId of the abnormal shutdown being reported by this event.
+- **AbsCausedbyAutoChk**  This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AcDcStateAtLastShutdown**  Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown**  The last recorded battery level.
+- **BatteryPercentageAtLastShutdown**  The battery percentage at the last shutdown.
+- **CrashDumpEnabled**  Are crash dumps enabled?
+- **CumulativeCrashCount**  Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId**  BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController**  The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional**  Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch**  The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional**  Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied**  Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType**  ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset**  Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent**  Indicates whether hardware watchdog timer was present or not.
+- **InvalidBootStat**  This is a sanity check flag that ensures the validity of the bootstat file.
+- **LastBugCheckBootId**  bootId of the last captured crash.
+- **LastBugCheckCode**  Code that indicates the type of error.
+- **LastBugCheckContextFlags**  Additional crash dump settings.
+- **LastBugCheckOriginalDumpType**  The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings**  Other crash dump settings.
+- **LastBugCheckParameter1**  The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress**  Progress towards writing out the last crash dump.
+- **LastBugCheckVersion**  The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId**  BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected**  Identifies if the user was pressing and holding power button.
+- **LongPowerButtonPressInstanceGuid**  The Instance GUID for the user state of pressing and holding the power button.
+- **OOBEInProgress**  Identifies if OOBE is running.
+- **OSSetupInProgress**  Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount**  How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount**  How many times has the power button been released?
+- **PowerButtonErrorCount**  Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId**  BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime**  Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId**  BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime**  Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase**  Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress**  Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage**  Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed**  Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType**  Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint**  Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource**  Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus**  Indicates whether the checkpoint information is valid.
+- **StaleBootStatData**  Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId**  BootId of the captured transition info.
+- **TransitionInfoCSCount**  l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason**  Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason**  Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress**  At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastReferenceTimeChecksum**  The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp**  The date and time that the marker was last saved.
+- **TransitionInfoLidState**  Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp**  The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress**  At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn**  Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning**  At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress**  Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress**  Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId**  Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber**  Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType**  Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId**  If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
 ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
 
 This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
@@ -3375,7 +3460,7 @@ The following fields are available:
 - **DriverIsKernelMode**  Is it a kernel mode driver?
 - **DriverName**  The file name of the driver.
 - **DriverPackageStrongName**  The strong name of the driver package
-- **DriverSigned**  Is the driver signed?
+- **DriverSigned** Is the driver signed?
 - **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
 - **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
 - **DriverVersion**  The version of the driver file.
@@ -3689,7 +3774,7 @@ The following fields are available:
 - **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
-- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsDownloadedBytes**  For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
 - **appPingEventDownloadMetricsDownloader**  A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@@ -3876,6 +3961,33 @@ The following fields are available:
 - **resultCode**  HR result of operation.
 
 
+## Other events
+
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender.
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender).
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -3964,6 +4076,18 @@ The following fields are available:
 - **TargetPath**  (Optional) If the operation is a move, the target path to which the file or directory is being moved.
 
 
+### Microsoft.Windows.Setup.WinSetupMon.TraceErrorVolume
+
+Provides details about error in the functioning of upgrade data safety monitoring filter driver, related to a specific volume (drive).
+
+The following fields are available:
+
+- **Message**  Text string describing the error condition.
+- **SessionId**  Identifier to correlate this component's telemetry with that of others.
+- **Status**  NTSTATUS code related to the error.
+- **Volume**  Path of the volume on which the error occurs
+
+
 ### SetupPlatformTel.SetupPlatformTelActivityEvent
 
 This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
@@ -6225,6 +6349,17 @@ The following fields are available:
 - **WorkCompleted**  A flag that indicates if work is completed.
 
 
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
+
+
 ### Microsoft.Windows.Update.Orchestrator.UX.InitiatingReboot
 
 This event indicates that a restart was initiated in to enable the update process. The data collected with this event is used to help keep Windows up to date.
@@ -6618,4 +6753,4 @@ The following fields are available:
 - **Disposition**  The parameter for the hard reserve adjustment function.
 - **Flags**  The flags passed to the hard reserve adjustment function.
 - **PendingHardReserveAdjustment**  The final change to the hard reserve size.
-- **UpdateType**  Indicates whether the change is an increase or decrease in the size of the hard reserve.
\ No newline at end of file
+- **UpdateType**  Indicates whether the change is an increase or decrease in the size of the hard reserve.
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index f564971ad6..1d88770967 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -7,7 +7,7 @@ localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 05/23/2023
+ms.date: 09/26/2023
 ms.collection: highpri
 ms.topic: reference
 ---
@@ -1652,6 +1652,30 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntAdd
+
+This event sends data indicating whether the system supports the PopCnt CPU requirement for newer versions of Windows, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+- **Blocking**  Is the upgrade blocked due to the processor missing the PopCnt instruction?
+- **PopCntPassed**  Whether the machine passes the latest OS hardware requirements or not for the PopCnt instruction.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPopCntStartSync
+
+The SystemProcessorPopCntStartSync event indicates that a new set of SystemProcessorPopCntAdd events will be sent. This event is used to understand if the system supports the PopCnt CPU requirement for newer versions of Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  Appraiser version
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
 This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
@@ -1988,7 +2012,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **AADDeviceId**  Azure Active Directory device ID.
+- **AADDeviceId**  Microsoft Entra ID device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -1996,7 +2020,7 @@ The following fields are available:
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
 - **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsCloudDomainJoined**  Is this device joined to a Microsoft Entra tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
 - **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
 - **IsDomainJoined**  Indicates whether a machine is joined to a domain.
@@ -2005,7 +2029,7 @@ The following fields are available:
 - **MDMServiceProvider**  A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
 - **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
 - **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures**  Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
 - **SystemCenterID**  The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
@@ -2474,6 +2498,7 @@ The following fields are available:
 
 - **wilActivity**  Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure.
 
+
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed
 
 Fires when driver scanning fails to get results.
@@ -3125,7 +3150,7 @@ The following fields are available:
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
 - **IsCTA**  If device has the CTA regkey set.
-- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the AAD (Azure Active Directory) domain.
+- **IsDeviceAADDomainJoined**  Indicates whether the device is logged in to the Microsoft Entra domain.
 - **IsDeviceADDomainJoined**  Indicates whether the device is logged in to the AD (Active Directory) domain.
 - **IsDeviceCloverTrail**  Indicates whether the device has a Clover Trail system installed.
 - **IsDeviceDiskSpaceLow**  If device disk space is low.
@@ -5150,7 +5175,7 @@ The following fields are available:
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
 - **appPingEventDownloadMetricsCdnAzureRefOriginShield**  Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
 - **appPingEventDownloadMetricsCdnCache**  Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) For example, HIT from proxy.domain.tld, MISS from proxy.local.
-- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
 - **appPingEventDownloadMetricsCdnCID**  Numeric value used to internally track the origins of the updated binaries. For example, 2.
 - **appPingEventDownloadMetricsCdnMSEdgeRef**  Used to help correlate client-to-AFD (Azure Front Door) conversations. For example, Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z.
 - **appPingEventDownloadMetricsCdnP3P**  Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. For example, CP=\"CAO PSA OUR\".
@@ -5591,6 +5616,33 @@ The following fields are available:
 
 ## Other events
 
+### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
+
+Heartbeat is sent once a day to indicate Defender is running and functional. Event includes necessary information to understand health of Defender on the device.
+
+The following fields are available:
+
+- **AppVersion**  Version of the Defender platform
+- **CampRing**  Camp ring used for monthly deployment
+- **CfaMode**  State of Controlled Folder Access
+- **ConsumerAsrMode**  State of Attack Surface Reduction
+- **CountAsrRules**  Number of Attack Surface Reduction rules in place
+- **EngineRing**  Engine ring used for monthly deployment
+- **EngineVersion**  Version of the AntiMalware Engine
+- **HeartbeatType**  Enum of the reason the heartbeat is collected
+- **IsAsrAnyAudit**  Flag to indicate if any Attack Surface Reduction rules are running in Audit mode
+- **IsAsrAnyBlock**  Flag to indicate if any Attack Surface Reduction rules are running in Block mode
+- **IsBeta**  Flag to indicate if the user has opted in for Beta updates for Defender.
+- **IsManaged**  Flag to indicate if Defender is running in manage mode
+- **IsPassiveMode**  Flag to indicate if Defender is in Passive mode for ATP
+- **IsSxsPassiveMode**  Flag to indicate if Defender is in Passive mode for Limited periodic scanning
+- **ProductGuid**  Defender Product Guid (static for Defender).
+- **PusMode**  Mode for blocking potentially unwanted software
+- **ShouldHashIds**  Do we have ISO Compliance requirement to hash IDs for e5
+- **SignatureRing**  Signature ring used for deployments
+- **SigVersion**  Version of signature VDMs
+
+
 ### Microsoft.Windows.OneSettingsClient.Heartbeat
 
 This event indicates the config state heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
@@ -5600,6 +5652,20 @@ The following fields are available:
 - **Configs**  Array of configs.
 
 
+### Microsoft.Windows.Security.SBServicing.ApplySecureBootUpdateFailed
+
+Event that indicates that an attempt to apply secure boot updates failed
+
+The following fields are available:
+
+- **Action**  Action string when error occured
+- **hr**  Error code in HRESULT
+- **IsResealNeeded**  BOOL value to indicate if TPM Reseal was needed
+- **SecureBootUpdateCaller**  Scenario in which function was called. Could be Update or Upgrade
+- **UpdateType**  Indicates if it is DB or DBX update
+- **WillResealSucceed**  Indicates if TPM reseal operation is expected to succeed
+
+
 ## Privacy consent logging events
 
 ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -5730,6 +5796,16 @@ The following fields are available:
 
 ## Software update events
 
+### SoftwareUpdateClientTelemetry.BadUpdateMetadata
+
+Provides information on bad update metadata detection. This information is used to understand the impacted update and ensure correct updates to keep windows up to date.
+
+The following fields are available:
+
+- **RevisionId**  Update metadata revision Id.
+- **ServiceGuid**  The service endpoint (pre-defined GUID) which client is checking updates against.
+
+
 ### SoftwareUpdateClientTelemetry.CheckForUpdates
 
 This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date.
@@ -5749,7 +5825,7 @@ The following fields are available:
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
@@ -5870,7 +5946,7 @@ The following fields are available:
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Indicates whether the download was a full- or a partial-file download.
 - **CbsMethod**  The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
-- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior.
@@ -6370,6 +6446,25 @@ The following fields are available:
 - **Ver**  Schema version.
 
 
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3
+
+Hardware level data about battery performance.
+
+The following fields are available:
+
+- **BatteryTelemetry**  Hardware Level Data about battery performance.
+- **ComponentId**  Component ID.
+- **FwVersion**  FW version that created this log.
+- **LogClass**  LOG CLASS.
+- **LogInstance**  Log instance within class (1..n).
+- **LogVersion**  LOG MGR VERSION.
+- **MCUInstance**  Instance id used to identify multiple MCU's in a product.
+- **ProductId**  ProductId ID.
+- **SeqNum**  Sequence Number.
+- **TimeStamp**  UTC seconds when log was created.
+- **Ver**  Schema version.
+
+
 ### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
 
 This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
@@ -6923,10 +7018,10 @@ The following fields are available:
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  Counts the events at the global level for telemetry.
 - **PackageVersion**  The package version for currency tools.
-- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is Azure Active Directory joined.
+- **UnifiedInstallerDeviceAADJoinedHresult**  The result code after checking if device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceInDssPolicy**  Boolean indicating whether the device is found to be in a DSS policy.
 - **UnifiedInstallerDeviceInDssPolicyHresult**  The result code for checking whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is Azure Active Directory joined.
+- **UnifiedInstallerDeviceIsAADJoined**  Boolean indicating whether a device is Microsoft Entra joined.
 - **UnifiedInstallerDeviceIsAdJoined**  Boolean indicating whether a device is AD joined.
 - **UnifiedInstallerDeviceIsAdJoinedHresult**  The result code for checking whether a device is AD joined.
 - **UnifiedInstallerDeviceIsEducationSku**  Boolean indicating whether a device is Education SKU.
@@ -7053,7 +7148,7 @@ The following fields are available:
 - **PackageVersion**  The package version of the label.
 - **UpdateHealthToolsDevicePolicyFileName**  The default name of the policy blob file.
 - **UpdateHealthToolsDssDeviceApiSegment**  The URI segment for reading the DSS device pointer.
-- **UpdateHealthToolsDssDeviceId**  The Azure Active Directory ID of the device used to create the device ID hash.
+- **UpdateHealthToolsDssDeviceId**  The ID in Microsoft Entra ID of the device used to create the device ID hash.
 - **UpdateHealthToolsDssDevicePolicyApiSegment**  The segment of the device policy API pointer.
 - **UpdateHealthToolsDssTenantId**  The tenant id of the device used to create the tenant id hash.
 - **UpdateHealthToolsHashedDeviceId**  The SHA256 hash of the device id.
@@ -7062,7 +7157,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
 
-This event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure.
+This event is sent when the device is not Microsoft Entra joined. The data collected with this event is used to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -8804,6 +8899,19 @@ The following fields are available:
 
 - **wilActivity**  This struct provides a Windows Internal Library context used for Product and Service diagnostics.
 
+
+### Microsoft.Windows.Update.Orchestrator.Client.UpdatePolicyCacheRefresh
+
+This ensures the update policies are refreshed in the cache so that we can properly determine what updates the device should be offered and how the device should take the updates (e.g. how and when to scan, download, install, and reboot).
+
+The following fields are available:
+
+- **configuredPoliciescount**  Number of configured policies
+- **policiesNamevaluesource**  Name of the policies
+- **updateInstalluxsetting**  Whether the update install setting is set
+- **wuDeviceid**  Device ID.
+
+
 ### Microsoft.Windows.Update.Orchestrator.DeferRestart
 
 This event indicates that a restart required for installing updates was postponed. The data collected with this event is used to help keep Windows secure and up to date.
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index bf79b242af..cc4c373f09 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 05/20/2019
 ms.topic: conceptual
 ---
@@ -99,9 +99,9 @@ Windows deployment can be configured using several different methods that provid
 
 If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
 
-Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
+Alternatively, your administrators can also choose to use Windows Autopilot. Windows Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Windows Autopilot profile and policies.
 
-You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows:
+You can use the following articles to learn more about Windows Autopilot and how to use Windows Autopilot to deploy Windows:
 
 - [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot)
 - [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process)
@@ -145,15 +145,12 @@ An administrator can disable a user’s ability to delete their device’s diagn
 
 #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
 
-> [!IMPORTANT]
-> There are some significant changes planned for the Windows diagnostic data processor configuration.  To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
-
 **Applies to:**
 
 - Windows 11 Enterprise, Professional, and Education editions
 - Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer
 
-The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
+The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
 
 The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
 
@@ -165,8 +162,6 @@ We recommend that IT administrators who have enabled the Windows diagnostic data
 >[!Note]
 >Tenant account closure will lead to the deletion of all data associated with that tenant.
 
-Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Windows Update for Business reports, Windows Update for Business, and Microsoft Managed Desktop. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations).
-
 For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr).
 
 ## 3. The process for exercising data subject rights
@@ -230,18 +225,17 @@ An administrator can configure privacy-related settings, such as choosing to onl
 >[!Note]
 >The Windows diagnostic data processor configuration is not available for Surface Hub.
 
-### 5.3 Microsoft Managed Desktop
+### 5.3 Windows Update for Business reports
 
-[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services.
+[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting.
 
-### 5.4 Update Compliance
+### 5.4 Windows Autopatch
 
-[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting.
+[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Windows Autopatch reports use Windows diagnostic data for their reporting.
 
-### 5.5 Windows Update for Business reports
-
-[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all its reporting.
+### 5.5 Windows updates reports (in Microsoft Intune)
 
+Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Windows Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting.
 
 ## Additional Resources
 
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 4838e70a06..483e61d221 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -6,8 +6,8 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
-ms.date: 12/17/2020
+manager: laurawi
+ms.date: 10/06/2023
 ms.topic: reference
 ---
 # Windows 11 connection endpoints for non-Enterprise editions
@@ -21,11 +21,11 @@ In addition to the endpoints listed for [Windows 11 Enterprise](manage-windows-1
 The following methodology was used to derive the network endpoints:
 
 1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
-2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Microsoft Entra ID.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
 
@@ -49,7 +49,7 @@ The following methodology was used to derive the network endpoints:
 |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
 |Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
 |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
 |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
 |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
@@ -62,7 +62,7 @@ The following methodology was used to derive the network endpoints:
 |||HTTPS/HTTP|ecn.dev.virtualearth.net|
 |||HTTPS/HTTP|ssl.bing.com|
 |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
-|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoint to contact external websites.|HTTPS/HTTP|edge.activity.windows.com </br> edge.microsoft.com|
+|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoints to contact external websites.|HTTPS/HTTP|edge.activity.windows.com </br> edge.microsoft.com|
 |Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
 |Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
 ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
@@ -76,7 +76,7 @@ The following methodology was used to derive the network endpoints:
 |||TLSv1.2/HTTPS|office.com|
 |||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
 |||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
-|||HTTP/HTTPS|*.blob.core.windows.net|
+|||HTTPS/HTTP|*.blob.core.windows.net|
 |||TLSv1.2|self.events.data.microsoft.com|
 |||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
 |||HTTP|roaming.officeapps.live.com|
@@ -107,7 +107,7 @@ The following methodology was used to derive the network endpoints:
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
 |||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
 ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
 ||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
 |||TLSv1.2/HTTPS|da.xboxservices.com|
@@ -119,60 +119,120 @@ The following methodology was used to derive the network endpoints:
 | **Area** | **Description** | **Protocol** | **Destination** |
 | --- | --- | --- | ---|
 | Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
-|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+|||HTTP|assets.activity.windows.com|
+|Apps|The following endpoint is used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
 ||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
-||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+||The following endpoint is used for Spotify Live Tile.|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoints are used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|||HTTP|ocsp.digicert.com|
 |Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS|business.bing.com|
+|||HTTP|c.bing.com|
+|||HTTP|edgeassetservice.azureedge.net|
+|||HTTP|fp.msedge.net|
+|||HTTP|fp-vs.azureedge.net|
+|||TLSv1.2|ln-ring.msedge.net|
+|||TLSv1.2|prod-azurecdn-akamai-iris.azureedge.net|
+|||HTTP|r.bing.com|
+|||TLSv1.2/HTTP|s-ring.msedge.net|
+|||HTTP|t-ring.msedge.net|
+|||HTTP|t-ring-fdv2.msedge.net|
+|||TLSv1.2|tse1.mm.bing.net|
+|||TLSv1.2|widgetcdn.azureedge.net|
+|||TLSv1.2|widgetservice.azurefd.net|
 |Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
 |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data||HTTP|browser.events.data.msn.com|
+|||TLSv1.2|functional.events.data.microsoft.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
+||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTP|self.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
-|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
-|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|||TLSv1.2/HTTP|watson.events.data.microsoft.com|
+|Font Streaming|The following endpoints is used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|TLSv1.2/HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLSv1.2|inference.location.live.net|
 |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
-|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
-|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
-|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+|||HTTP|ecn-us.dev.virtualearth.net|
+|Microsoft Account|The following endpoint is used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+|||TLSv1.2/HTTPS|wdcpalt.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+|||TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Microsoft Edge|The following endpoints are used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|||TLSv1.2/HTTP|edge.microsoft.com|
+|||HTTP|edge.nelreports.net|
+|||TLSv1.2/HTTP|windows.msn.com|
+|Microsoft Store|The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+|||HTTP|img-s-msn-com.akamaized.net|
 ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
 ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
 ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
 |||HTTPS|storesdk.dsx.mp.microsoft.com|
 ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTP|storeedgefd.dsx.mp.microsoft.com|
+|Microsoft To Do|The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.microsoft.com|
+|||TLSv1.2/HTTP|to-do.microsoft.com|
 |Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
-|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||HTTP|ipv6.msftconnecttest.com|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||TLSv1.2/HTTPS/HTTP|*.blob.core.windows.net|
+|||TLSv1.2/HTTP|ecs.nel.measure.office.net|
+|||TLSv1.2/HTTP|ocws.officeapps.live.com|
+|||TLSv1.2/HTTP|odc.officeapps.live.com|
 |||TLSv1.2/HTTPS|office.com|
-|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
-|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
-|||HTTP/HTTPS|*.blob.core.windows.net|
-|||TLSv1.2|self.events.data.microsoft.com|
-|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
 |||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||HTTP|roaming.officeapps.live.com|
+|||TLSv1.2|self.events.data.microsoft.com|
 |||HTTPS/HTTP|substrate.office.com|
-|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
-|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTP|tfl.nel.measure.office.net|
+|OneDrive|The following endpoints are related to OneDrive.|HTTP|ams03pap005.storage.live.com|
+|||HTTP|api.onedrive.com|
+|||HTTPS|g.live.com|
 |||HTTPS/TLSv1.2|logincdn.msauth.net|
-|||HTTPS/HTTP|windows.policies.live.net|
-|||HTTPS/HTTP|*storage.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTP|onedrive.live.com|
+|||HTTP|sat02pap005.storage.live.com|
 |||HTTPS/HTTP|*settings.live.net|
-|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||HTTP|skyapi.live.net|
+|||HTTP|skydrivesync.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|windows.policies.live.net|
+|Settings|The following endpoints are used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
 |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
-|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|Skype|The following endpoints are used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
-|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
-|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com</br>wdcpalt.microsoft.com|
-|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
-|||TLSv1.2/HTTP|checkappexec.microsoft.com|
-|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*</br>ris.api.iris.microsoft.com|
-|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|edge.skype.com|
+|||HTTP|experimental-api.asm.skype.com|
+|||HTTP|trouter-azsc-ukwe-0-b.trouter.skype.com|
+|||HTTP|us-api.asm.skype.com|
+|Teams|The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
+|||HTTP|teams.live.com|
+|||HTTP|statics.teams.cdn.live.net|
+|||HTTP|statics.teams.cdn.office.net|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTP|api.msn.com|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||TLSv1.2/HTTP|assets.msn.com|
+|||HTTP|c.msn.com|
+|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
+|||HTTP|ntp.msn.com|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|||HTTP|srtb.msn.com|
+|||TLSv1.2/HTTP|www.msn.com|
+|Windows Update||TLSv1.2|definitionupdates.microsoft.com|
+||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
 |||TLSv1.2/HTTP|emdl.ws.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
 |||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint enables connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
 ||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
 |||TLSv1.2/HTTPS|da.xboxservices.com|
@@ -195,7 +255,7 @@ The following methodology was used to derive the network endpoints:
 |||TLSv1.2|odinvzc.azureedge.net|
 |||TLSv1.2|b-ring.msedge.net|
 |Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
 ||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
 |Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
 |Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
@@ -233,7 +293,7 @@ The following methodology was used to derive the network endpoints:
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
 |||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
 ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
 ||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
 |Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
 |||TLSv1.2/HTTPS|da.xboxservices.com|
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index 164bc33b67..7ae4b7f694 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/31/2017
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 63ed56d1a2..07b2b5073b 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 03/31/2017
 ms.collection: highpri
 ms.topic: reference
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index 85910f867e..74b6ce5ab7 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 06/29/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index 544fdaf06d..c10a331f56 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 06/29/2018
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 6ff9f92fef..22f613edc5 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 07/20/2020
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index 095cbad7b5..2a78739318 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 05/11/2020
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
index 0074932afa..dd6dc0c592 100644
--- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 12/17/2020
 ms.topic: reference
 ---
diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
index a3858b594d..c9fc4c9d3a 100644
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@@ -6,7 +6,7 @@ ms.technology: itpro-privacy
 ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
-manager: dougeby
+manager: laurawi
 ms.date: 12/17/2020
 ms.topic: reference
 ---
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index b4983f373e..2e4ec8b5e5 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -4,7 +4,7 @@ description: Learn about User Account Control (UAC) components and how it intera
 ms.collection: 
   - highpri
   - tier2
-ms.topic: conceptual
+ms.topic: concept-article
 ms.date: 05/24/2023
 ---
 
diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md
index d0f5b5db9d..aad3fb9eab 100644
--- a/windows/security/application-security/application-control/user-account-control/index.md
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@@ -4,7 +4,7 @@ description: Learn how User Account Control (UAC) helps to prevent unauthorized
 ms.collection: 
   - highpri
   - tier2
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 05/24/2023
 ---
 
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
index 686128a9d3..284e549300 100644
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -13,15 +13,15 @@ The following table lists the available settings to configure the UAC behavior,
 
 |Setting name| Description|
 |-|-|
-|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
-|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
-|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
+|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.|
+|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
 |Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
 |Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
 |Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
 |Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
 |Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
-|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
+|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
+|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
 |Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
 
 ## User Account Control configuration
@@ -50,15 +50,15 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Local
 
 |Setting|
 | - |
-| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
 | **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
-| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
+| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
 | **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
 | **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
 | **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
 | **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
 | **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
-| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
+| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
+| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
 | **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
 
 #### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
@@ -69,15 +69,15 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
 
 | Group Policy setting |Default value|
 | - | - |
-|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
 |User Account Control: Admin Approval Mode for the built-in Administrator account|  Disabled |
-|User Account Control: Switch to the secure desktop when prompting for elevation |  Enabled |
+|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
 |User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
 |User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
-|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)<br />Disabled (default) |
+|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home edition only)<br />Disabled (default) |
 |User Account Control: Only elevate executables that are signed and validated| Disabled |
 |User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
-|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
+|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
+|User Account Control: Switch to the secure desktop when prompting for elevation |  Enabled |
 |User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
 
 #### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
@@ -86,15 +86,15 @@ The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\Cur
 
 | Setting name | Registry key name | Value |
 | - | - | - |
-| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
 | Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled<br>1 = Enabled |
-| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
+| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
 | Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting<br>1 = Prompt for credentials on the secure desktop<br>2 = Prompt for consent on the secure desktop<br>3 = Prompt for credentials<br>4 = Prompt for consent<br>5 (Default) = Prompt for consent for non-Windows binaries|
 | Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests<br>1 = Prompt for credentials on the secure desktop<br>3 (Default) = Prompt for credentials |
 | Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)<br>0 = Disabled (default) |
 | Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled<br>1 = Enabled |
 | Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled<br>1 (Default) = Enabled |
-| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
+| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
+| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
 | Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled<br>1 (Default) = Enabled |
 
 [WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index eaf509458d..7c130ac1f2 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -4,6 +4,7 @@ description: This article provides a description of AppLocker and can help you d
 ms.collection:
 - highpri
 - tier3
+- must-keep
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 06/07/2023
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 0d956ceadf..4a3fe25421 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -31,11 +31,11 @@ Rule enforcement is applied only to a collection of rules, not to individual rul
 
 ## Step 3: Update the policy
 
-You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the 
-Microsoft Desktop Optimization Pack.
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) feature from the Microsoft Desktop Optimization Pack.
+
+> [!CAUTION]
+> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
 
->**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
- 
 For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
 
 For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 2afb56de2f..c6f4be0bc8 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -67,7 +67,7 @@ Collecting these events in a central location can help you maintain your AppLock
 
 As new apps are deployed or existing apps are updated by the software publisher, you'll need to make revisions to your rule collections to ensure that the policy is current.
 
-You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013).
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more information, see [Advanced Group Policy Management Overview](/microsoft-desktop-optimization-pack/agpm/).
 
 > [!IMPORTANT]
 > You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 35cecd0bee..f237a5b23c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -38,24 +38,24 @@ The following table contains information about the events that you can use to de
 
 | Event ID | Level | Event message | Description |
 | --- | --- | --- | --- |
-| 8000 | Error| Application Identity Policy conversion failed. Status * &lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
+| 8000 | Error| AppID policy conversion failed. Status * &lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
 | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| 
 | 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| 
-| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
-| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| 
+| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8004 | Error| *&lt;File name&gt; * was prevented from running.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| 
 | 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| 
-| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
-| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| 
-| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| 
-| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| 
-| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| 
-| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| 
-| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
-| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| 
-| 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| 
-| 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| 
-| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy was enforced.| Added in Windows Server 2016 and Windows 10.|
-| 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.|
+| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8007 | Error| *&lt;File name&gt; * was prevented from running.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| 
+| 8008| Warning| *&lt;File name&gt; *: AppLocker component not available on this SKU.| Added in Windows Server 2012 and Windows 8.| 
+| 8020| Information| *&lt;File name&gt; * was allowed to run.| Added in Windows Server 2012 and Windows 8.| 
+| 8021| Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| 
+| 8022| Error| *&lt;File name&gt; * was prevented from running.| Added in Windows Server 2012 and Windows 8.| 
+| 8023 | Information| *&lt;File name&gt; * was allowed to be installed.| Added in Windows Server 2012 and Windows 8.|
+| 8024 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| 
+| 8025 | Error| *&lt;File name&gt; * was prevented from running.| Added in Windows Server 2012 and Windows 8.| 
+| 8027 | Error| No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.| Added in Windows Server 2012 and Windows 8.| 
+| 8028 | Warning | *&lt;File name&gt; * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.|
+| 8029 | Error | *&lt;File name&gt; * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.|
 | 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
 | 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.|
 | 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
@@ -63,9 +63,9 @@ The following table contains information about the events that you can use to de
 | 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
 | 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.|
 | 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.|
-| 8037 | Information | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.|
+| 8037 | Information | * passed Config CI policy and was allowed to run.| Added in Windows Server 2016 and Windows 10.|
 | 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10.|
-| 8039 | Warning | * passed Config CI policy and was allowed to run | Added in Windows Server 2016 and Windows 10.|
+| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10.|
 | 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.|
 
  
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
index 1909066094..c7086b6b5e 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md
@@ -2,7 +2,7 @@
 title: Deploy WDAC policies using Mobile Device Management (MDM)
 description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
 ms.localizationpriority: medium
-ms.date: 01/23/2023
+ms.date: 08/30/2023
 ms.topic: how-to
 ---
 
@@ -28,10 +28,10 @@ Intune's built-in Windows Defender Application Control support allows you to con
 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
 
 > [!NOTE]
-> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
+> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
 
 > [!NOTE]
-> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies without a restart.
+> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP.
 
 To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
 
@@ -46,6 +46,9 @@ You should now have one or more WDAC policies converted into binary form. If not
 
 Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
 
+> [!NOTE]
+> You must convert your custom policy XML to binary form before deploying with OMA-URI.
+
 The steps to use Intune's custom OMA-URI functionality are:
 
 1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
@@ -53,10 +56,9 @@ The steps to use Intune's custom OMA-URI functionality are:
 2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
     - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
     - **Data type**: Base64 (file)
-    - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. 
+    - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf.
 
-    > [!div class="mx-imgBorder"]
-    > ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)
+    :::image type="content" alt-text="Configure custom WDAC." source="../images/wdac-intune-custom-oma-uri.png" lightbox="../images/wdac-intune-custom-oma-uri.png":::
 
 > [!NOTE]
 > For the _Policy GUID_ value, do not include the curly brackets.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index a190d84898..3eac346b20 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -5,6 +5,7 @@ ms.localizationpriority: medium
 ms.collection:
 - highpri
 - tier3
+- must-keep
 ms.date: 06/06/2023
 ms.topic: article
 ---
@@ -80,7 +81,7 @@ To check that the policy was successfully applied on your computer:
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
-  <VersionEx>10.0.25880.0</VersionEx>
+  <VersionEx>10.0.25965.0</VersionEx>
   <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
   <Rules>
     <Rule>
@@ -515,18 +516,6 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_BSHWMIO64_SHA256_1" FriendlyName="BS_HWMIo64.sys\6dafd15ee2fbce87fef1279312660fc399c4168f55b6e6d463bf680f1979adcf Hash Sha256" Hash="7EA9B2420483183CF7B25D6577848F2DFE2AE064A61D931D6B8B65B31A1B2685" />
     <Deny ID="ID_DENY_BSHWMIO64_SHA1_PAGE_1" FriendlyName="BS_HWMIo64.sys\6dafd15ee2fbce87fef1279312660fc399c4168f55b6e6d463bf680f1979adcf Hash Page Sha1" Hash="7E21A9D03BCB6DD7597AD70B59CBD1F5930FFBF1" />
     <Deny ID="ID_DENY_BSHWMIO64_SHA256_PAGE_1" FriendlyName="BS_HWMIo64.sys\6dafd15ee2fbce87fef1279312660fc399c4168f55b6e6d463bf680f1979adcf Hash Page Sha256" Hash="74C425BFDDD93700379E677F5CED47FC0FB4FFFC8B2E416A5247D91E5F2704E3" />
-    <Deny ID="ID_DENY_DHKERNEL_1" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Sha1" Hash="B92959042D232605ABBA254BC0368B87EC047079" />
-    <Deny ID="ID_DENY_DHKERNEL_2" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Sha256" Hash="C786F3CA229DA18B2806AF4D57ECAD603859EE548549B19F71A623F477FC740E" />
-    <Deny ID="ID_DENY_DHKERNEL_3" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Page Sha1" Hash="CFE049C9BAB44EDD22D135330F7825063F1307B4" />
-    <Deny ID="ID_DENY_DHKERNEL_4" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Page Sha256" Hash="8146C482151930412A3A648CEFE80643FB1016214117BFF256153E52D01E4ED2" />
-    <Deny ID="ID_DENY_DHKERNEL_5" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Sha1" Hash="508C1A26486188AA1268D6C23C65E57B8EFE71F6" />
-    <Deny ID="ID_DENY_DHKERNEL_6" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Sha256" Hash="F5215F83138901CA7ADE60C2222446FA3DD7E8900A745BD339F8A596CB29356C" />
-    <Deny ID="ID_DENY_DHKERNEL_8" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Page Sha1" Hash="475E1306D823702264DB8451D8A1D3512E7CA260" />
-    <Deny ID="ID_DENY_DHKERNEL_9" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Page Sha256" Hash="2BF083DCADC1CAE99AD5C5901317130C1230A228208F37DCB4DF341394442299" />
-    <Deny ID="ID_DENY_DHKERNEL_10" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Sha1" Hash="39ED8A86F91A548AE05E71E9C1C337ED4FAD8EE4" />
-    <Deny ID="ID_DENY_DHKERNEL_11" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Sha256" Hash="8BCE2AFD04EC073143A2A4BA51671992451C8E747A84852458321F2D275B5433" />
-    <Deny ID="ID_DENY_DHKERNEL_12" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Page Sha1" Hash="890A839069A81D76EB8FB53C9D18F8BE09C101F2" />
-    <Deny ID="ID_DENY_DHKERNEL_13" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Page Sha256" Hash="F7365B2ECAD159FFD61261F114333765FD73E3039270F51837EB24A63455AE9A" />
     <Deny ID="ID_DENY_BS_RCIO_08" FriendlyName="BS_RCIO\1d0105b5e41fe0280f66d7a24eb00a04c03caaec Hash Sha1" Hash="1D0105B5E41FE0280F66D7A24EB00A04C03CAAEC" />
     <Deny ID="ID_DENY_BS_RCIO_09" FriendlyName="BS_RCIO\d9111b2bedf78a769bb0799b964663cd119edaa8 Hash Sha1" Hash="D9111B2BEDF78A769BB0799B964663CD119EDAA8" />
     <Deny ID="ID_DENY_BS_RCIO_10" FriendlyName="BS_RCIO\362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc Hash Sha1" Hash="3311E4E94E8A6DD81859719FBE0FCBF187F0BD8A" />
@@ -549,6 +538,18 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_BS_RCIO_21" FriendlyName="BS_RCIO\e9e711056fada8681f3eb5578a0d449b68568bc812e29dfcc0b92b9a9e481202 Hash Sha256" Hash="30591EA53FBA8BAD22A017CF5A268211790706B7863F007CE20A77F2E3459170" />
     <Deny ID="ID_DENY_BS_RCIO_22" FriendlyName="BS_RCIO\e9e711056fada8681f3eb5578a0d449b68568bc812e29dfcc0b92b9a9e481202 Hash Page Sha1" Hash="AF5B84A2456E2621F920D61130DDAAD32CD4729F" />
     <Deny ID="ID_DENY_BS_RCIO_23" FriendlyName="BS_RCIO\e9e711056fada8681f3eb5578a0d449b68568bc812e29dfcc0b92b9a9e481202 Hash Page Sha256" Hash="6F698A9123CC763F0F035CF50177BF5690B4644802746C8C2F06F59CFC0D9F81" />
+    <Deny ID="ID_DENY_DHKERNEL_1" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Sha1" Hash="B92959042D232605ABBA254BC0368B87EC047079" />
+    <Deny ID="ID_DENY_DHKERNEL_2" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Sha256" Hash="C786F3CA229DA18B2806AF4D57ECAD603859EE548549B19F71A623F477FC740E" />
+    <Deny ID="ID_DENY_DHKERNEL_3" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Page Sha1" Hash="CFE049C9BAB44EDD22D135330F7825063F1307B4" />
+    <Deny ID="ID_DENY_DHKERNEL_4" FriendlyName="YY_DhKernel\80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3 Hash Page Sha256" Hash="8146C482151930412A3A648CEFE80643FB1016214117BFF256153E52D01E4ED2" />
+    <Deny ID="ID_DENY_DHKERNEL_5" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Sha1" Hash="508C1A26486188AA1268D6C23C65E57B8EFE71F6" />
+    <Deny ID="ID_DENY_DHKERNEL_6" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Sha256" Hash="F5215F83138901CA7ADE60C2222446FA3DD7E8900A745BD339F8A596CB29356C" />
+    <Deny ID="ID_DENY_DHKERNEL_8" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Page Sha1" Hash="475E1306D823702264DB8451D8A1D3512E7CA260" />
+    <Deny ID="ID_DENY_DHKERNEL_9" FriendlyName="YY_DhKernel\bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955 Hash Page Sha256" Hash="2BF083DCADC1CAE99AD5C5901317130C1230A228208F37DCB4DF341394442299" />
+    <Deny ID="ID_DENY_DHKERNEL_10" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Sha1" Hash="39ED8A86F91A548AE05E71E9C1C337ED4FAD8EE4" />
+    <Deny ID="ID_DENY_DHKERNEL_11" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Sha256" Hash="8BCE2AFD04EC073143A2A4BA51671992451C8E747A84852458321F2D275B5433" />
+    <Deny ID="ID_DENY_DHKERNEL_12" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Page Sha1" Hash="890A839069A81D76EB8FB53C9D18F8BE09C101F2" />
+    <Deny ID="ID_DENY_DHKERNEL_13" FriendlyName="YY_DhKernel\dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6 Hash Page Sha256" Hash="F7365B2ECAD159FFD61261F114333765FD73E3039270F51837EB24A63455AE9A" />
     <Deny ID="ID_DENY_DIRECTIO_12" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="E8F7E20061F9CC20583DCAB3B16054D106B8AA83" />
     <Deny ID="ID_DENY_DIRECTIO_13" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="B8BF3BD441EBC5814C5D39D053FDCB263E8E58476CBDEE4B1226903305F547B6" />
     <Deny ID="ID_DENY_DIRECTIO_14" FriendlyName="PassMark DirectIo.sys Hash Page Sha1" Hash="36875A862D1E762E6CC75595EF37EA7460A1E1DF" />
@@ -641,6 +642,18 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_DIRECTIO_71" FriendlyName="DirectIO32\fac102ef0a36d2d7b4390776a9c3edded72e01e7316949179e6fbe23495121fb Hash Sha256" Hash="A9EB36FB737735DFF8245E1AA599054C0214FB9DE0CBA371357ED59FDE451308" />
     <Deny ID="ID_DENY_DIRECTIO_72" FriendlyName="DirectIO32\fac102ef0a36d2d7b4390776a9c3edded72e01e7316949179e6fbe23495121fb Hash Page Sha1" Hash="BCC1292F68AA179DA3EDFF5D5D6D1D991BEA7EB5" />
     <Deny ID="ID_DENY_DIRECTIO_73" FriendlyName="DirectIO32\fac102ef0a36d2d7b4390776a9c3edded72e01e7316949179e6fbe23495121fb Hash Page Sha256" Hash="AC8A4EE171C6E4905B370F7E01F6C11F7669BE4613E8DACACB5428B5E87DB390" />
+    <Deny ID="ID_DENY_ECHO_1" FriendlyName="Inspect EchoDriver\a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47 Hash Sha1" Hash="503901E0DA00E491F28389F17CAFD1F1D5243C60" />
+    <Deny ID="ID_DENY_ECHO_2" FriendlyName="Inspect EchoDriver\a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47 Hash Sha256" Hash="48DC7FD16AACDC8792F8BAD1B1F7CA9D675DDAC7767E957EA8C4227150D64E2D" />
+    <Deny ID="ID_DENY_ECHO_3" FriendlyName="Inspect EchoDriver\a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47 Hash Page Sha1" Hash="0CE7E3B661DB16FBCFE93376127DC37EA23313A5" />
+    <Deny ID="ID_DENY_ECHO_4" FriendlyName="Inspect EchoDriver\a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47 Hash Page Sha256" Hash="23C062104693B80CEC745DEC40B433D0D0B683C63496740B943CCB0D22F7361B" />
+    <Deny ID="ID_DENY_ECHO_5" FriendlyName="Inspect EchoDriver\ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77 Hash Sha1" Hash="18CD81740893FA24F1AFBB9D187A60AF9C5B2902" />
+    <Deny ID="ID_DENY_ECHO_6" FriendlyName="Inspect EchoDriver\ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77 Hash Sha256" Hash="4160DAE22484062CCC3750CC9CAC8F929D8701694160A3B508715610814AA28D" />
+    <Deny ID="ID_DENY_ECHO_7" FriendlyName="Inspect EchoDriver\ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77 Hash Page Sha1" Hash="2EFC7864E1E8AA87EFFEB13A2A3402CDC64FB6D2" />
+    <Deny ID="ID_DENY_ECHO_8" FriendlyName="Inspect EchoDriver\ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77 Hash Page Sha256" Hash="3709D170C4F5A7668C9180AFBDB8A4F6E9EE6E6A6C048B55D34FEA9DAA253127" />
+    <Deny ID="ID_DENY_ECHO_9" FriendlyName="Inspect EchoDriver\ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9 Hash Sha1" Hash="678620A9CC9E7FFE179BC5CDA0A2DD0597E231EE" />
+    <Deny ID="ID_DENY_ECHO_A" FriendlyName="Inspect EchoDriver\ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9 Hash Sha256" Hash="92F9D73CEC5AB3352C4B3CBF4574D13B2E506CBA24CC74580E19E941063EAF7D" />
+    <Deny ID="ID_DENY_ECHO_B" FriendlyName="Inspect EchoDriver\ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9 Hash Page Sha1" Hash="832832028D40A3CFD08D364554FCE0B4F37317FF" />
+    <Deny ID="ID_DENY_ECHO_C" FriendlyName="Inspect EchoDriver\ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9 Hash Page Sha256" Hash="49ED19D5E1E122936035A48EA99FFD68CA4915578107888D5C2B0BB9E30E67C0" />
     <Deny ID="ID_DENY_EIO64_1" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Sha1" Hash="200BE5A696990EE97B4C3176234CDE46C3EBC2CE" />
     <Deny ID="ID_DENY_EIO64_2" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Sha256" Hash="72B36C64F0B349D7816C8E5E2D1A7F59807DE0C87D3F071A04DBC56BEC9C00DB" />
     <Deny ID="ID_DENY_EIO64_3" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Page Sha1" Hash="DB88BFE5F3DE4E3CC778FE456B542EC4135433A4" />
@@ -649,6 +662,10 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_EIO64_6" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Sha256" Hash="D4E7335A177E47688D68AD89940C272F82728C882623F1630E7FD2E03E16F003" />
     <Deny ID="ID_DENY_EIO64_7" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Page Sha1" Hash="D1AAAAF1EEA34073BAF39C7494E646C5AD2475F5" />
     <Deny ID="ID_DENY_EIO64_8" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Page Sha256" Hash="796BEC283155309F2DF0B1779CABC78A3B2161FFCED9F521DB231550DCB376A1" />
+    <Deny ID="ID_DENY_GVCIDRV_1" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Sha1" Hash="4EAE38E9DC262EB7B6EDE4B3D3F4AD068933845E" />
+    <Deny ID="ID_DENY_GVCIDRV_2" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Sha256" Hash="2FF09BB919A9909068166C30322C4E904BEFEBA5429E9A11D011297FB8A73C07" />
+    <Deny ID="ID_DENY_GVCIDRV_3" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Page Sha1" Hash="6980122AEF4E2D5D7A6DDDB6DA76A166C460E0A1" />
+    <Deny ID="ID_DENY_GVCIDRV_4" FriendlyName="Gigabyte gvcidrv\42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f Hash Page Sha256" Hash="A69247025DD32DC15E06FEE362B494BCC6105D34B8D7091F7EC3D9000BD71501" />
     <Deny ID="ID_DENY_HW_22" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Sha1" Hash="924A088149D6EE89551E15D45E7BC847B9561196" />
     <Deny ID="ID_DENY_HW_23" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Sha256" Hash="5E1E1489A1A01CFB466B527543D9D25112A83792BDE443DE9E34E4D3ADA697E3" />
     <Deny ID="ID_DENY_HW_24" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Page Sha1" Hash="ADB70331BE7B68359C3EC3065C045349EA5B2EE2" />
@@ -678,6 +695,90 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_INPOUTX_21" FriendlyName="inpoutx\d5cc046c2ae9ba6fe54def699f1c4fa92d3226304321bbf45cc33883ce131138 Hash Sha256" Hash="D5CC046C2AE9BA6FE54DEF699F1C4FA92D3226304321BBF45CC33883CE131138" />
     <Deny ID="ID_DENY_INPOUTX_22" FriendlyName="inpoutx\e2c531a771b0df1585518a22427798e86611e6be3d357024797871a1b3876e9c Hash Sha1" Hash="CCE8ED3969E52080B32BCC59E2EC174CA9C578EC" />
     <Deny ID="ID_DENY_INPOUTX_23" FriendlyName="inpoutx\e2c531a771b0df1585518a22427798e86611e6be3d357024797871a1b3876e9c Hash Sha256" Hash="E2C531A771B0DF1585518A22427798E86611E6BE3D357024797871A1B3876E9C" />
+    <Deny ID="ID_DENY_IREC_1" FriendlyName="IREC.sys\irec32--1.sys Hash Sha1" Hash="B715B8030FC28346C97B5F5FB901C390ED5C97B6" />
+    <Deny ID="ID_DENY_IREC_2" FriendlyName="IREC.sys\irec32--1.sys Hash Sha256" Hash="2E8E61DAA45061AE04AABEE086371A6D56F0D517AA584E1B70C8423C8E469310" />
+    <Deny ID="ID_DENY_IREC_3" FriendlyName="IREC.sys\irec32--1.sys Hash Page Sha1" Hash="9DF591D3672885C5BAA454413C75D974386B9F14" />
+    <Deny ID="ID_DENY_IREC_4" FriendlyName="IREC.sys\irec32--1.sys Hash Page Sha256" Hash="883602C2C622E270F91E6391FE5E4B156CB68ED6B41A2F5694EFB93774579FFF" />
+    <Deny ID="ID_DENY_IREC_5" FriendlyName="IREC.sys\irec32--10.sys Hash Sha1" Hash="BCA37BCC2AEE3383F43D0126E30E07893E40F452" />
+    <Deny ID="ID_DENY_IREC_6" FriendlyName="IREC.sys\irec32--10.sys Hash Sha256" Hash="B431CBD247F1D229CA2A90256063973A8B4129A154926026366766677AB740F6" />
+    <Deny ID="ID_DENY_IREC_7" FriendlyName="IREC.sys\irec32--10.sys Hash Page Sha1" Hash="4B2582568EC84D1711D3EDCBE53730F32D9EA4F5" />
+    <Deny ID="ID_DENY_IREC_8" FriendlyName="IREC.sys\irec32--10.sys Hash Page Sha256" Hash="6D94B06210D7946DD9F4EC83D2E804FC6EA0083E95CBACA0E62D84891C9DA51C" />
+    <Deny ID="ID_DENY_IREC_9" FriendlyName="IREC.sys\irec32--11.sys Hash Sha1" Hash="EAA1C906B44925B71D4F67A29F125158CF58FBA1" />
+    <Deny ID="ID_DENY_IREC_A" FriendlyName="IREC.sys\irec32--11.sys Hash Sha256" Hash="EBFF008864CE631BCD44328DF0E72901EA08B83EA25EB6949FC8D61335E6A149" />
+    <Deny ID="ID_DENY_IREC_B" FriendlyName="IREC.sys\irec32--11.sys Hash Page Sha1" Hash="86777AF3C0E74138EF70C3DC02D98E3938F244BA" />
+    <Deny ID="ID_DENY_IREC_C" FriendlyName="IREC.sys\irec32--11.sys Hash Page Sha256" Hash="968D1E5440BA5F42E5E50C33ECFEE253FC6217F58F0475EC881DF9A65F254584" />
+    <Deny ID="ID_DENY_IREC_D" FriendlyName="IREC.sys\irec32--2.sys Hash Sha1" Hash="BC47F6F4A03B944A2C9BADA25275D5ED35A00946" />
+    <Deny ID="ID_DENY_IREC_E" FriendlyName="IREC.sys\irec32--2.sys Hash Sha256" Hash="E04C028FA5D0343A10C1D526ADD23B5C98834B252A87732CF69F4D482A7DAB94" />
+    <Deny ID="ID_DENY_IREC_F" FriendlyName="IREC.sys\irec32--2.sys Hash Page Sha1" Hash="F2F9BC79B1CF1FC2C4F9C3B59C53F5A8949CC987" />
+    <Deny ID="ID_DENY_IREC_10" FriendlyName="IREC.sys\irec32--2.sys Hash Page Sha256" Hash="5ECD5D7679504C22300263889CC3B48F1724EC5276CA24C06BABED595C3501AF" />
+    <Deny ID="ID_DENY_IREC_11" FriendlyName="IREC.sys\irec32--3.sys Hash Sha1" Hash="94881B8F8C0BD3EC9B4F8C44D74CD774AAEF77CA" />
+    <Deny ID="ID_DENY_IREC_12" FriendlyName="IREC.sys\irec32--3.sys Hash Sha256" Hash="A026FADABEB628EAD4399CA3FB3369224983E311CF927EAC7826B230CB774B67" />
+    <Deny ID="ID_DENY_IREC_13" FriendlyName="IREC.sys\irec32--3.sys Hash Page Sha1" Hash="3DEF49B1C6095AD5A5CACB5ED24958070C872925" />
+    <Deny ID="ID_DENY_IREC_14" FriendlyName="IREC.sys\irec32--3.sys Hash Page Sha256" Hash="00A813073AED7A5C795C35BF239536962683A73BB315C774DBA9838144131DEF" />
+    <Deny ID="ID_DENY_IREC_15" FriendlyName="IREC.sys\irec32--5.sys Hash Sha1" Hash="7C1B5F25BBA93877FA3D5626F3FF08FC865FC062" />
+    <Deny ID="ID_DENY_IREC_16" FriendlyName="IREC.sys\irec32--5.sys Hash Sha256" Hash="BB02A566FFE392BA15F3DD0FA0F2B08AE684462D41FE2141D98E9E8F416BC339" />
+    <Deny ID="ID_DENY_IREC_17" FriendlyName="IREC.sys\irec32--5.sys Hash Page Sha1" Hash="A987A4E8B23A90EC582C18CCB6A4FC075BBBE564" />
+    <Deny ID="ID_DENY_IREC_18" FriendlyName="IREC.sys\irec32--5.sys Hash Page Sha256" Hash="2ABA330D66FA4FA0348B52C068B8C754C18565D55059FF02D114C52A00946996" />
+    <Deny ID="ID_DENY_IREC_19" FriendlyName="IREC.sys\irec32--7.sys Hash Sha1" Hash="EF221C26D16FDFC16B6B416666AC27C67A123EDB" />
+    <Deny ID="ID_DENY_IREC_1A" FriendlyName="IREC.sys\irec32--7.sys Hash Sha256" Hash="2E5C4332A9EC895818F3F5EB3C101D2E55F4C588A57E4DAAD0544F5F3E434DD6" />
+    <Deny ID="ID_DENY_IREC_1B" FriendlyName="IREC.sys\irec32--7.sys Hash Page Sha1" Hash="98C5D52418EF0D4489EAD7341D4C80337E5438F4" />
+    <Deny ID="ID_DENY_IREC_1C" FriendlyName="IREC.sys\irec32--7.sys Hash Page Sha256" Hash="48AB3B361354812A7353F902491B4814268325AC53D79B81B3938A66A294E219" />
+    <Deny ID="ID_DENY_IREC_1D" FriendlyName="IREC.sys\irec32--8.sys Hash Sha1" Hash="4432DB3BCB9B8F14F1D8CBA0292985A206A624B5" />
+    <Deny ID="ID_DENY_IREC_1E" FriendlyName="IREC.sys\irec32--8.sys Hash Sha256" Hash="5B942A0686EE8772E0CC5070F9A023067410A7FC2F17EE902A380592EFF9DF98" />
+    <Deny ID="ID_DENY_IREC_1F" FriendlyName="IREC.sys\irec32--8.sys Hash Page Sha1" Hash="504DADC23313231D3670E0D60AB12CC9D3F8F366" />
+    <Deny ID="ID_DENY_IREC_20" FriendlyName="IREC.sys\irec32--8.sys Hash Page Sha256" Hash="83A28797DF3C1134FD2CF3BB3E1967C8BE2CF9D1BA13DEDB1367CE9E1E8FE84A" />
+    <Deny ID="ID_DENY_IREC_21" FriendlyName="IREC.sys\irec32--9.sys Hash Sha1" Hash="E388275F8874F95E4484F52742FCFB3751B33FF9" />
+    <Deny ID="ID_DENY_IREC_22" FriendlyName="IREC.sys\irec32--9.sys Hash Sha256" Hash="C9488EDE76B64E13E625D7EAEAFE5CE0C1B180CA6FB429B8C4C8DF5089DEEAF5" />
+    <Deny ID="ID_DENY_IREC_23" FriendlyName="IREC.sys\irec32--9.sys Hash Page Sha1" Hash="A4C243D53D69FBA0539949D7966E2DF67C4010CE" />
+    <Deny ID="ID_DENY_IREC_24" FriendlyName="IREC.sys\irec32--9.sys Hash Page Sha256" Hash="D6818FA421D57D961BD54625C2BDD0FB0C1E16CF00E404DBF37F1BC86DB48C20" />
+    <Deny ID="ID_DENY_IREC_25" FriendlyName="IREC.sys\irec64--16.sys Hash Sha1" Hash="169DD93FD4A637E452B148309C2E187880534E12" />
+    <Deny ID="ID_DENY_IREC_26" FriendlyName="IREC.sys\irec64--16.sys Hash Sha256" Hash="43BF704522A5E01030A9B5CDFBDD7B226E93B40B5AF62581495E66407F365B10" />
+    <Deny ID="ID_DENY_IREC_27" FriendlyName="IREC.sys\irec64--16.sys Hash Page Sha1" Hash="A9D9D7FF0D091A63491D43B4E9FB3852BC1BD5B1" />
+    <Deny ID="ID_DENY_IREC_28" FriendlyName="IREC.sys\irec64--16.sys Hash Page Sha256" Hash="1356FD71998471A795A4CBFDACED2D86879F05CEE383918B516BCF14ACAF547D" />
+    <Deny ID="ID_DENY_IREC_29" FriendlyName="IREC.sys\irec64--17.sys Hash Sha1" Hash="8E5B173D15C5E940D8D2D1985810D5EB2118AFAD" />
+    <Deny ID="ID_DENY_IREC_2A" FriendlyName="IREC.sys\irec64--17.sys Hash Sha256" Hash="06A136B23ADE23C02509A896A05CF6D99DF93E774A10583B796B61E3F643A858" />
+    <Deny ID="ID_DENY_IREC_2B" FriendlyName="IREC.sys\irec64--17.sys Hash Page Sha1" Hash="BC95CB78F67C3F98380CB53FE1EB3A495BF53B8B" />
+    <Deny ID="ID_DENY_IREC_2C" FriendlyName="IREC.sys\irec64--17.sys Hash Page Sha256" Hash="F563312E01F7C88293CC4374C97737EDAED22A6FD26E0106CB6A30CE68C3BD45" />
+    <Deny ID="ID_DENY_IREC_2D" FriendlyName="IREC.sys\irec64--18.sys Hash Sha1" Hash="90EBE947F9DAEF1ABEE0BCC2241069E061AE24ED" />
+    <Deny ID="ID_DENY_IREC_2E" FriendlyName="IREC.sys\irec64--18.sys Hash Sha256" Hash="9A6E8BD410BA51574B773B98C6488FC332F445DA0E94E78F693B9A76E86DFBCC" />
+    <Deny ID="ID_DENY_IREC_2F" FriendlyName="IREC.sys\irec64--18.sys Hash Page Sha1" Hash="B8FC6F0E07F898268E43652C0CCB650405CCD68C" />
+    <Deny ID="ID_DENY_IREC_30" FriendlyName="IREC.sys\irec64--18.sys Hash Page Sha256" Hash="BA7317A12A431DA55E53778C9EC0D58DB701E88B89D03A9EDD7C5C1012E66A14" />
+    <Deny ID="ID_DENY_IREC_31" FriendlyName="IREC.sys\irec64--19.sys Hash Sha1" Hash="719F659300BA463EFEEAB5916F0378C64FC1AD4A" />
+    <Deny ID="ID_DENY_IREC_32" FriendlyName="IREC.sys\irec64--19.sys Hash Sha256" Hash="457E2EB5EE1DEF0E336463B7F62DCC02FDDE307B817CF750907A5F5465C4DCB7" />
+    <Deny ID="ID_DENY_IREC_33" FriendlyName="IREC.sys\irec64--19.sys Hash Page Sha1" Hash="F7FEA2BE8FF65DBB89BAF39EF8E0D80DAB81CB8E" />
+    <Deny ID="ID_DENY_IREC_34" FriendlyName="IREC.sys\irec64--19.sys Hash Page Sha256" Hash="5FEB045C2452FD280BA1CAD5FC9B4F0DE7FC95EABDCE19FA2CD1F632891F3B1A" />
+    <Deny ID="ID_DENY_IREC_35" FriendlyName="IREC.sys\irec64--21.sys Hash Sha1" Hash="37486D0CA79CF2924D8540B00E84FF4F9C86F574" />
+    <Deny ID="ID_DENY_IREC_36" FriendlyName="IREC.sys\irec64--21.sys Hash Sha256" Hash="87F01D8BF8424D801D4B47273918FB817DA2E59F517BA1FC1C038FB3C4E91A17" />
+    <Deny ID="ID_DENY_IREC_37" FriendlyName="IREC.sys\irec64--21.sys Hash Page Sha1" Hash="54CBAEDB10F2AFAA73E4C209ECD6E76B3912AF6F" />
+    <Deny ID="ID_DENY_IREC_38" FriendlyName="IREC.sys\irec64--21.sys Hash Page Sha256" Hash="09516642395221D25006D8E604D7FC519DE102453875D6DD325D02A80A4D30CE" />
+    <Deny ID="ID_DENY_IREC_39" FriendlyName="IREC.sys\irec64--23.sys Hash Sha1" Hash="E4496961589BB0C03F05016AA3242B2D1ACD5E3F" />
+    <Deny ID="ID_DENY_IREC_3A" FriendlyName="IREC.sys\irec64--23.sys Hash Sha256" Hash="D62B9E6BC56E042C1CE7CB6493AB7FD1B58F716D1C4DC9E56DDFDBDB79B4F3E4" />
+    <Deny ID="ID_DENY_IREC_3B" FriendlyName="IREC.sys\irec64--23.sys Hash Page Sha1" Hash="0F11543D227EB822C9FBB3F4B9E497E1831BFAA9" />
+    <Deny ID="ID_DENY_IREC_3C" FriendlyName="IREC.sys\irec64--23.sys Hash Page Sha256" Hash="A28B1BD5B1C5D3C91029CAEAE0FB71AFD3485A5D6701DF812D9181B429E605F1" />
+    <Deny ID="ID_DENY_IREC_3D" FriendlyName="IREC.sys\irec64--24.sys Hash Sha1" Hash="288AA5926A9382D34AF147B142BCDD02C06B39BD" />
+    <Deny ID="ID_DENY_IREC_3E" FriendlyName="IREC.sys\irec64--24.sys Hash Sha256" Hash="66A751B6168A4D9F2F5F5D8D18BEF25F1494E0E20A31360E0F72E498096DE23F" />
+    <Deny ID="ID_DENY_IREC_3F" FriendlyName="IREC.sys\irec64--24.sys Hash Page Sha1" Hash="D71E1AA8124D6E634D2F8C9C08E6D1BFC29F0E3A" />
+    <Deny ID="ID_DENY_IREC_40" FriendlyName="IREC.sys\irec64--24.sys Hash Page Sha256" Hash="66D06BE183B3AE3F51798A4FCFAB56CAD3B92135429620F5EC1589258F799326" />
+    <Deny ID="ID_DENY_IREC_41" FriendlyName="IREC.sys\irec64--25.sys Hash Sha1" Hash="8BBB803E9F79196590FC33E4FB216D556E318F86" />
+    <Deny ID="ID_DENY_IREC_42" FriendlyName="IREC.sys\irec64--25.sys Hash Sha256" Hash="9C709B73D67AC049C391EB398A08056422AA677801B2AF924CF3BBACD3D484D2" />
+    <Deny ID="ID_DENY_IREC_43" FriendlyName="IREC.sys\irec64--25.sys Hash Page Sha1" Hash="0D28D548B2E5C5CBB279061A32CC46297A1F531C" />
+    <Deny ID="ID_DENY_IREC_44" FriendlyName="IREC.sys\irec64--25.sys Hash Page Sha256" Hash="924DF2032B3B70CD9D9ACC3AC28D0924E8D9EAA24CD406688E2DC0E3BFC3F70A" />
+    <Deny ID="ID_DENY_IREC_45" FriendlyName="IREC.sys\irec64--26.sys Hash Sha1" Hash="63DC0951A2D8FD32F62E7ECBB34B917EDB855E27" />
+    <Deny ID="ID_DENY_IREC_46" FriendlyName="IREC.sys\irec64--26.sys Hash Sha256" Hash="D48B16426AD15C2FCD570F68893BDDFC16E61BF47E86575D17B7CBDED71F9937" />
+    <Deny ID="ID_DENY_IREC_47" FriendlyName="IREC.sys\irec64--26.sys Hash Page Sha1" Hash="798CF0D31E7DE95236D32526D98B1B9F398EF451" />
+    <Deny ID="ID_DENY_IREC_48" FriendlyName="IREC.sys\irec64--26.sys Hash Page Sha256" Hash="679ECD06D16A6E5D647E955DC8DB480F2799868C1C8F2334DAF11B095DCE9DCB" />
+    <Deny ID="ID_DENY_IREC_49" FriendlyName="IREC.sys\irec64--27.sys Hash Sha1" Hash="EFE0B7278B60880F2A7EE6FE6F7EC274995C8D0E" />
+    <Deny ID="ID_DENY_IREC_4A" FriendlyName="IREC.sys\irec64--27.sys Hash Sha256" Hash="F2F3907897D349B6263C1FBC16BF12534886DB847E98BFFE786025C16E2796C1" />
+    <Deny ID="ID_DENY_IREC_4B" FriendlyName="IREC.sys\irec64--27.sys Hash Page Sha1" Hash="CA64B7A0BEA9C46986C9CCC869F66DB49FC82CDA" />
+    <Deny ID="ID_DENY_IREC_4C" FriendlyName="IREC.sys\irec64--27.sys Hash Page Sha256" Hash="6789CA368EC8D5D01FD8D379A119CEAA677798BA0763BEBBE65C9FA5E581A160" />
+    <Deny ID="ID_DENY_IREC_4D" FriendlyName="IREC.sys\irec64--28.sys Hash Sha1" Hash="8B8D832E9F39281A454CE6D6A876338B8931075F" />
+    <Deny ID="ID_DENY_IREC_4E" FriendlyName="IREC.sys\irec64--28.sys Hash Sha256" Hash="7CCCD8D23FDABF6F6AC6725521EF99B6CB90BA5045FC13540EC6B9BB69F71AB0" />
+    <Deny ID="ID_DENY_IREC_4F" FriendlyName="IREC.sys\irec64--28.sys Hash Page Sha1" Hash="CC1696378EC427350B8AF1327113DC18FFE8433C" />
+    <Deny ID="ID_DENY_IREC_50" FriendlyName="IREC.sys\irec64--28.sys Hash Page Sha256" Hash="8248A91E24E4DE42B0690268C781938095D1C4F89750A66D8E05DBE5DD709864" />
+    <Deny ID="ID_DENY_IREC_51" FriendlyName="IREC.sys\irecARM64--45.sys Hash Sha1" Hash="F89D40FA04E040EF2B6170CAA7E7BDF52A40B2E6" />
+    <Deny ID="ID_DENY_IREC_52" FriendlyName="IREC.sys\irecARM64--45.sys Hash Sha256" Hash="7883DDEBE413E3D18E93FE73CA293322235A6EF6AEF5AD7030B743A4ECED83A3" />
+    <Deny ID="ID_DENY_IREC_53" FriendlyName="IREC.sys\irecARM64--45.sys Hash Page Sha1" Hash="2C8F603F5420AC349DAD3051C6DD820DC1D34C8E" />
+    <Deny ID="ID_DENY_IREC_54" FriendlyName="IREC.sys\irecARM64--45.sys Hash Page Sha256" Hash="8154EA793FC5DA34AAA7B14D24F462D1E6838AA7DE44CF3E5F332A8C66191DF2" />
     <Deny ID="ID_DENY_LGCORETEMP_1" FriendlyName="lgcoretemp\e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef Hash Sha1" Hash="BF20C99129A768B3D2D5C621AB50375984AB9351" />
     <Deny ID="ID_DENY_LGCORETEMP_2" FriendlyName="lgcoretemp\e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef Hash Sha256" Hash="9C4DB6EE983FD4FA74F8212031ADE343A1B9ABDB258D05BEF1AABD7AB49FBC16" />
     <Deny ID="ID_DENY_LGCORETEMP_3" FriendlyName="lgcoretemp\e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef Hash Page Sha1" Hash="4DD5A5D9B4AF0708902DF52C6C42921DE296CC21" />
@@ -760,6 +861,14 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_MSIO_10" FriendlyName="MsIo.sys Hash Sha256" Hash="BE0AF245444321E51F4DD8A90A19A0ABE05A060CBAD93701E23A02DF307957AE" />
     <Deny ID="ID_DENY_MSIO_11" FriendlyName="MsIo.sys Hash Sha1" Hash="B2CD3A63D04EAE427BEDE6C6FE8FACBA91ECECBF" />
     <Deny ID="ID_DENY_MSIO_12" FriendlyName="MsIo.sys Hash Sha256" Hash="D86D6732AC4D1CB41A2DCE40436B839C0DFDCEF9BA306CE5D0F97C0522ABFAC8" />
+    <Deny ID="ID_DENY_MSR_1" FriendlyName="Datapath msr.sys\6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1.sys Hash Sha1" Hash="381CC2B974D440EDEA0BBC010C4BEF4CDC2169B7" />
+    <Deny ID="ID_DENY_MSR_2" FriendlyName="Datapath msr.sys\6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1.sys Hash Sha256" Hash="D23F28169D6E5C09A89E5136A4FF899A3B6F886535BB0254A27DD00A2753C412" />
+    <Deny ID="ID_DENY_MSR_3" FriendlyName="Datapath msr.sys\6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1.sys Hash Page Sha1" Hash="5CB0D5676E465F6F389BED975B426705AC30DBC6" />
+    <Deny ID="ID_DENY_MSR_4" FriendlyName="Datapath msr.sys\6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1.sys Hash Page Sha256" Hash="F05027D011C6123FA6EFB78AEA60528568FC80F6D9FD5CD1232F9B79B4216D3B" />
+    <Deny ID="ID_DENY_MSR_5" FriendlyName="Datapath msr.sys\ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5 Hash Sha1" Hash="2146BF058139453C0447786D6F6D5FC454AB955F" />
+    <Deny ID="ID_DENY_MSR_6" FriendlyName="Datapath msr.sys\ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5 Hash Sha256" Hash="1F8812611CF7120E89E769CC908FABC0C9E49B27FDED8DDE6A3DE51D9CE34F09" />
+    <Deny ID="ID_DENY_MSR_7" FriendlyName="Datapath msr.sys\ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5 Hash Page Sha1" Hash="81DE92B2555D9A29C5E48CB4893ADF0131EAD233" />
+    <Deny ID="ID_DENY_MSR_8" FriendlyName="Datapath msr.sys\ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5 Hash Page Sha256" Hash="CA90FFB147D600E7F42E8790CBD9FE7D69C7463DE88B08723E210750E1E272BD" />
     <Deny ID="ID_DENY_NVFLASH_1" FriendlyName="nvflash.sys\0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c Hash Sha1" Hash="213C4EC78132D6C0FDFDD7B640107E0CE4990A0E" />
     <Deny ID="ID_DENY_NVFLASH_2" FriendlyName="nvflash.sys\0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c Hash Sha256" Hash="91EE89520105CCBCECA6EE0E34070F28C8DC5A3D73EC65F384DA5DA4F2A36DC0" />
     <Deny ID="ID_DENY_NVFLASH_3" FriendlyName="nvflash.sys\0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c Hash Page Sha1" Hash="C24D6F9132486AF1EB2937D9366275126A5A35E1" />
@@ -868,6 +977,26 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_NVFLASH_6A" FriendlyName="nvflash.sys\ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18 Hash Sha256" Hash="157CE9AE0D09766CFA3E5BE8F90E2AC510F0CE3A0BB7CD97E3A5F9AA20C76661" />
     <Deny ID="ID_DENY_NVFLASH_6B" FriendlyName="nvflash.sys\ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18 Hash Page Sha1" Hash="C1DC399DF098A44F569BA80ECCFE0B5724362B16" />
     <Deny ID="ID_DENY_NVFLASH_6C" FriendlyName="nvflash.sys\ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18 Hash Page Sha256" Hash="D6E111744E51D167F040AC43D426D852013241C717C557ECC8C8FCEAA0F01BBC" />
+    <Deny ID="ID_DENY_NVOCLOCK_1" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Sha1" Hash="0380CE3467B97AA19CA6AB3177651B22A77D9C0E" />
+    <Deny ID="ID_DENY_NVOCLOCK_2" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Sha256" Hash="717242AD6A3AFB6F236890CAA44501A4BE8D0AB019F028BA2C74D3455F065804" />
+    <Deny ID="ID_DENY_NVOCLOCK_3" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Page Sha1" Hash="B80FECC3E055CE1952E0C9F491B9BBC4EDD3591A" />
+    <Deny ID="ID_DENY_NVOCLOCK_4" FriendlyName="nvoclock\2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958 Hash Page Sha256" Hash="D1CC7B5CED135FC9CF1170C78F6B3FD789962A73D84114C3ACC93FFBABA59C77" />
+    <Deny ID="ID_DENY_NVOCLOCK_5" FriendlyName="nvoclock\29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36 Hash Sha1" Hash="E7F478393A69EC3FE0A026584DDC26FD336DC4F0" />
+    <Deny ID="ID_DENY_NVOCLOCK_6" FriendlyName="nvoclock\29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36 Hash Sha256" Hash="73664268A737D071F2C3C67503002DB08432953F14771317835B6F080D3DAEFF" />
+    <Deny ID="ID_DENY_NVOCLOCK_7" FriendlyName="nvoclock\3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284 Hash Sha1" Hash="1E4FDFE6750A04756332CC5A5896CD5763C923C7" />
+    <Deny ID="ID_DENY_NVOCLOCK_8" FriendlyName="nvoclock\3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284 Hash Sha256" Hash="1848CB34D16559E3C8232C369D89FC12B5720B58300D8C4C21DADE6E3EA8D585" />
+    <Deny ID="ID_DENY_NVOCLOCK_9" FriendlyName="nvoclock\4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d Hash Sha1" Hash="FB6958D7D53E63EDEB4CCEEBAB4D12CA70202109" />
+    <Deny ID="ID_DENY_NVOCLOCK_10" FriendlyName="nvoclock\4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d Hash Sha256" Hash="F72DBB2A818BA47CA03FFBE50D211050210699C25CAEC3B97CA960D7286D4B6A" />
+    <Deny ID="ID_DENY_NVOCLOCK_11" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Sha1" Hash="2D63276EB232457770188F2DF6FC67EB41FAACD1" />
+    <Deny ID="ID_DENY_NVOCLOCK_12" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Sha256" Hash="ABBF92203A31C93B8E719CDABFF1C681921EDBAF43CD34DA79C86CB5A806757F" />
+    <Deny ID="ID_DENY_NVOCLOCK_13" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Page Sha1" Hash="6687A30E8887A18CBCC962E2BDE118BA66310F15" />
+    <Deny ID="ID_DENY_NVOCLOCK_14" FriendlyName="nvoclock\64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5 Hash Page Sha256" Hash="1FE5977A8C891E29444E1364EB91C82A606E39E842D80FE0DBA126261376E751" />
+    <Deny ID="ID_DENY_NVOCLOCK_15" FriendlyName="nvoclock\77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f Hash Sha1" Hash="FDDCB8952F5F44DDAE6201B08DDAA94537470669" />
+    <Deny ID="ID_DENY_NVOCLOCK_16" FriendlyName="nvoclock\77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f Hash Sha256" Hash="CEC5964D7E32C52439D5EB660FA97827B619A7DA9F3264F0C9FA4B69E3CB7CC1" />
+    <Deny ID="ID_DENY_NVOCLOCK_17" FriendlyName="nvoclock\87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b Hash Sha1" Hash="8546586F7825C49876F2E0C52BA55F545B4E03BD" />
+    <Deny ID="ID_DENY_NVOCLOCK_18" FriendlyName="nvoclock\87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b Hash Sha256" Hash="7C8D7BB3A272AFE7FB737BD165FE9BD8F8187F1835289EB66D471CDCED74E950" />
+    <Deny ID="ID_DENY_NVOCLOCK_19" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha1" Hash="FE761BEE648D4A1C9FD8C1646323A692DF957C42" />
+    <Deny ID="ID_DENY_NVOCLOCK_20" FriendlyName="nvoclock\d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8 Hash Sha256" Hash="B3183D87A902DB1BBDAECB37291B9D37C032CE9DFACBE4B36CC3032F5A643AB4" /> 
     <Deny ID="ID_DENY_OTIPCIBUS_1" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Sha1" Hash="FD172C7F8BDC81988FCF1642881078A8CA8415F6" />
     <Deny ID="ID_DENY_OTIPCIBUS_2" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Sha256" Hash="1CDA1A6E33D14D5DD06344425102BF840F8149E817ECFB01C59A2190D3367024" />
     <Deny ID="ID_DENY_OTIPCIBUS_3" FriendlyName="otipcibus.sys\4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80 Hash Page Sha1" Hash="8DFBFD888C9A420AC7F3371E5443C26A2852E539" />
@@ -894,6 +1023,22 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_PHYMEMX64_SHA256" FriendlyName="phymemx64 Hash Sha256" Hash="A6AE7364FD188C10D6B5A729A7FF58A3EB11E7FEB0D107D18F9133655C11FB66" />
     <Deny ID="ID_DENY_PHYMEMX64_SHA1_PAGE" FriendlyName="phymemx64 Hash Page Sha1" Hash="6E7D8ABF7F81A2433F27B052B3952EFC4B9CC0B1" />
     <Deny ID="ID_DENY_PHYMEMX64_SHA256_PAGE" FriendlyName="phymemx64 Hash Page Sha256" Hash="B7113B9A68E17428E2107B19BA099571AAFFC854B8FB9CBCEB79EF9E3FD1CC62" />
+    <Deny ID="ID_DENY_QMBSEC_0" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Sha1" Hash="129ABA97A7EB768AE0ED28D0C9A496F3C60DB314" />
+    <Deny ID="ID_DENY_QMBSEC_1" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Sha256" Hash="AF55DE92D14CF69D19B2FCB6DB4FBE272C2E04E5F62F7519BD368C173A05CE1F" />
+    <Deny ID="ID_DENY_QMBSEC_2" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Page Sha1" Hash="416895E001A9C3721999048941CD9B79BB9BF9BB" />
+    <Deny ID="ID_DENY_QMBSEC_3" FriendlyName="qmbsec.sys\0c801d381292e0476fb435fcc450b7a8970054cc47230c3123f3b6930d8ad799 Hash Page Sha256" Hash="50A1719C23DD141ACC867D0935A0EB1A8349F3D7CF1186FA037E829D1788FB34" />
+    <Deny ID="ID_DENY_QMBSEC_4" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Sha1" Hash="7DC5480689591EE8FE778641807CB7B54263E04F" />
+    <Deny ID="ID_DENY_QMBSEC_5" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Sha256" Hash="C8AF285696916F5E503E1F6445BE1CAA23B10178F261E4893DFB0F93A2AA9211" />
+    <Deny ID="ID_DENY_QMBSEC_6" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Page Sha1" Hash="AF20947C135C4497FB6D1B51180DC07AAABEEA00" />
+    <Deny ID="ID_DENY_QMBSEC_7" FriendlyName="qmbsec.sys\494cf30f87274942694e1d6a5700466382cf1398ff62a64a654b2e396fff43f4 Hash Page Sha256" Hash="FB361D34A0D7C633817DDABEFD0CE66F9F5BC1E8F2B301DCCE657BADD2F06FB3" />
+    <Deny ID="ID_DENY_QMBSEC_8" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Sha1" Hash="6C3434976D859889FA4E91FCF370764A48056B73" />
+    <Deny ID="ID_DENY_QMBSEC_9" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Sha256" Hash="46141E13ADBADCDB42E0E96AC9F71D3E88E5FA6EFB42F658E216078424FE57A0" />
+    <Deny ID="ID_DENY_QMBSEC_A" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Page Sha1" Hash="BAB8C0DAC93E72E13F7F2014F44C5EDF1EFCAE17" />
+    <Deny ID="ID_DENY_QMBSEC_B" FriendlyName="qmbsec.sys\51745c658c506484ed79e2d71862b36351bac95a897ddc41aaeb9ba5bdfb2a37 Hash Page Sha256" Hash="6980D97D602100054B8F9F2206E29705E79EC86464915B2212ECEC08C548A291" />
+    <Deny ID="ID_DENY_QMBSEC_C" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Sha1" Hash="82879A316D5A212C95E8F6DC2734BFDA3DD84DE4" />
+    <Deny ID="ID_DENY_QMBSEC_D" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Sha256" Hash="B083BB2B298FA14F2E7CC65341337209DF5DE7C53B8CE5DAB5FA830DD29FE2A5" />
+    <Deny ID="ID_DENY_QMBSEC_E" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Page Sha1" Hash="96516702799451093DB85802491D70F20382DFDE" />
+    <Deny ID="ID_DENY_QMBSEC_F" FriendlyName="qmbsec.sys\be6c3af76d43d6200a387eab9b57791c87dc3a3e21636b3df68bb34e24eebf89 Hash Page Sha256" Hash="0915820FC684225C54BBE9C0727E5E592EE7F10272C3BD8FCE055742C188305C" />
     <Deny ID="ID_DENY_RETLIFTEN_SHA1_1" FriendlyName="80.sys Hash Sha1" Hash="BC2F3850C7B858340D7ED27B90E63B036881FD6C" />
     <Deny ID="ID_DENY_RETLIFTEN_SHA1_2" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="E74B6DDA8BC53BC687FC21218BD34062A78D8467" />
     <Deny ID="ID_DENY_RETLIFTEN_SHA1_3" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="2C27ABBBBCF10DFB75AD79557E30ACE5ED314DF8" />
@@ -1096,6 +1241,18 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_SUPERBMC_15" FriendlyName="superbmc.sys\ee6bfdf5748fbbf579d6176026626ef39a0673e307c2029f5633e80f0babef54 Hash Sha256" Hash="976C015B28197CCD15F807B776F705BDF612FC622FB0A4B9901B90F180BF2F8A" />
     <Deny ID="ID_DENY_SUPERBMC_16" FriendlyName="superbmc.sys\ee6bfdf5748fbbf579d6176026626ef39a0673e307c2029f5633e80f0babef54 Hash Page Sha1" Hash="2303BEAB201455CC543E0CCE9D4D8698338787EB" />
     <Deny ID="ID_DENY_SUPERBMC_17" FriendlyName="superbmc.sys\ee6bfdf5748fbbf579d6176026626ef39a0673e307c2029f5633e80f0babef54 Hash Page Sha256" Hash="161DC4F7ED741397F6BD6C2B012DBDF6E397CF02212C7DAAF303338206B1E3A7" />
+    <Deny ID="ID_DENY_SYSDRV3S_1" FriendlyName="CodeSys SysDrv3S\0dd9daf0852a5b1b436199e9f2bf318f641f43173ab0dc22ad8c7e9cbaee9ad3 Hash Sha1" Hash="3AA0ABAF4EA1F90D1B5D2F26ABE7FE9F0BB14A76" />
+    <Deny ID="ID_DENY_SYSDRV3S_2" FriendlyName="CodeSys SysDrv3S\0dd9daf0852a5b1b436199e9f2bf318f641f43173ab0dc22ad8c7e9cbaee9ad3 Hash Sha256" Hash="8A4E6D1A5E0309EAD41B11CEB479C6A874CF6E57F2B416C12025E1B485009F37" />
+    <Deny ID="ID_DENY_SYSDRV3S_3" FriendlyName="CodeSys SysDrv3S\0dd9daf0852a5b1b436199e9f2bf318f641f43173ab0dc22ad8c7e9cbaee9ad3 Hash Page Sha1" Hash="F4C12BA9B5B73C159EB920060B8E4CEE9D729187" />
+    <Deny ID="ID_DENY_SYSDRV3S_4" FriendlyName="CodeSys SysDrv3S\0dd9daf0852a5b1b436199e9f2bf318f641f43173ab0dc22ad8c7e9cbaee9ad3 Hash Page Sha256" Hash="841C8C6B5D9779B98FB3DB2B90695469FED42885E8F5A81983F35C6B470CCC8F" />
+    <Deny ID="ID_DENY_SYSDRV3S_5" FriendlyName="CodeSys SysDrv3S\161a50482380727ffa0dd94e193a023f4445dddd3a05340fe2db07fc3ec5b5f3 Hash Sha1" Hash="80D203BB42A5D58D87C82481238BFF1A01ECAC6D" />
+    <Deny ID="ID_DENY_SYSDRV3S_6" FriendlyName="CodeSys SysDrv3S\161a50482380727ffa0dd94e193a023f4445dddd3a05340fe2db07fc3ec5b5f3 Hash Sha256" Hash="7A15788A9942659E061E0A51F806E564B2A49ADB7BCB8F6A3548EDD4528426A0" />
+    <Deny ID="ID_DENY_SYSDRV3S_7" FriendlyName="CodeSys SysDrv3S\161a50482380727ffa0dd94e193a023f4445dddd3a05340fe2db07fc3ec5b5f3 Hash Page Sha1" Hash="B1723ED6AD1808E932C3040B5F4744BB9C85DD9F" />
+    <Deny ID="ID_DENY_SYSDRV3S_8" FriendlyName="CodeSys SysDrv3S\161a50482380727ffa0dd94e193a023f4445dddd3a05340fe2db07fc3ec5b5f3 Hash Page Sha256" Hash="20D30D12CAF158058ECDED6BE4282838CA1E328F777DE67D62681891B58E0A13" />
+    <Deny ID="ID_DENY_SYSDRV3S_9" FriendlyName="CodeSys SysDrv3S\cf4efec43474c5aacf4b0971d44eaf8dd6357e594cdb1390085a5070a0df51d4 Hash Sha1" Hash="43D91E7B7B2E65263E40FC2E29F517552A1D2C41" />
+    <Deny ID="ID_DENY_SYSDRV3S_A" FriendlyName="CodeSys SysDrv3S\cf4efec43474c5aacf4b0971d44eaf8dd6357e594cdb1390085a5070a0df51d4 Hash Sha256" Hash="327DD7D2115ED486AD66181E3A0C86AD64F41A6D28943D3E76B1BDE937EAB628" />
+    <Deny ID="ID_DENY_SYSDRV3S_B" FriendlyName="CodeSys SysDrv3S\cf4efec43474c5aacf4b0971d44eaf8dd6357e594cdb1390085a5070a0df51d4 Hash Page Sha1" Hash="1A38DD65ED3E011409F6146ECD6C513E4312D409" />
+    <Deny ID="ID_DENY_SYSDRV3S_C" FriendlyName="CodeSys SysDrv3S\cf4efec43474c5aacf4b0971d44eaf8dd6357e594cdb1390085a5070a0df51d4 Hash Page Sha256" Hash="65D44B0B174524208204C1BCD08A9628B851FB49E22719FF0BA9C05473CCC273" />
     <Deny ID="ID_DENY_SYSINFO_1" FriendlyName="Noriyuki Miyazaki SysInfo\4fea15aabc4fc63a3e991412caf17283bbd257172ef7e255f40f5e22e0286902 Hash Sha1" Hash="E833F4E364DC5EFBABF1570DA86D1FA3E55804A7" />
     <Deny ID="ID_DENY_SYSINFO_2" FriendlyName="Noriyuki Miyazaki SysInfo\4fea15aabc4fc63a3e991412caf17283bbd257172ef7e255f40f5e22e0286902 Hash Sha256" Hash="0122CDCF450F03B95B04560F77C2BB4643F379FBD903B07EA1300F9B974D32A3" />
     <Deny ID="ID_DENY_SYSINFO_3" FriendlyName="Noriyuki Miyazaki SysInfo\7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb Hash Sha1" Hash="CA88F321631C1552E3E0BCD1F26AD3435CC9F1AE" />
@@ -1138,6 +1295,56 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_WINIO_32" FriendlyName="PartnerTech WinIO\dc2b92f59fd8d059a58cc0761212f788d7041f708f4bd717d1738de909b4f781 Hash Sha256" Hash="5B6C10E103D42B17E5DDD6BEEC295BBF51CE56547134CE8D675A008A8243F615" />
     <Deny ID="ID_DENY_WINIO_33" FriendlyName="PartnerTech WinIO\dc2b92f59fd8d059a58cc0761212f788d7041f708f4bd717d1738de909b4f781 Hash Page Sha1" Hash="746414A878978FA039A6521F392167913CEA7C8D" />
     <Deny ID="ID_DENY_WINIO_34" FriendlyName="PartnerTech WinIO\dc2b92f59fd8d059a58cc0761212f788d7041f708f4bd717d1738de909b4f781 Hash Page Sha256" Hash="45DFA3B42C2789A741C5F29862A8CFC5998D889F96C5783C1A27AC03DE1A407A" />
+    <Deny ID="ID_DENY_WINIO_35" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Sha1" Hash="664F7E5EF393507A259362E6D7337407E44A3EDB" />
+    <Deny ID="ID_DENY_WINIO_36" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Sha256" Hash="2DCED5FB3F68F8E33D2454798FCDC5AFCB00EBD1BBB8968CAF274B8D9A3A1DFE" />
+    <Deny ID="ID_DENY_WINIO_37" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Page Sha1" Hash="CF3DF8311C7F241C56F4640D2C6A4A9BB20CD674" />
+    <Deny ID="ID_DENY_WINIO_38" FriendlyName="WinIO\0bfcf39a3e63bb6ef8afec67965103df1b9803bca31d221a7fd4233972be9e05 Hash Page Sha256" Hash="CA87FD00ACDAA7FE36496C1EBD81F6F608ADBB60F41F9B02C6815580F4CE42AC" />
+    <Deny ID="ID_DENY_WINIO_39" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Sha1" Hash="1769C1E75D4131047771350AAF84AEA0A631A53C" />
+    <Deny ID="ID_DENY_WINIO_40" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Sha256" Hash="E9E8061F8E2C68C6F3E4A4D284CE9E8195140E531981C54F68ED7445D259B4DA" />
+    <Deny ID="ID_DENY_WINIO_41" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Page Sha1" Hash="50B55723B63BFECD05DBEB4C19C36AC8F9BEBD25" />
+    <Deny ID="ID_DENY_WINIO_42" FriendlyName="WinIO\13a38c92606de7bc61960606deb59e1db125fb4efbb8b29ba732e5d3c2dc169c Hash Page Sha256" Hash="14F25296EA3C6AE183BDAE04A0029BE2BB4D679089680FB2695904708A778CB2" />
+    <Deny ID="ID_DENY_WINIO_43" FriendlyName="WinIO\1f868677f2e6afd63b974908f793307a91329a6a413cfd726e85185507401afb Hash Sha1" Hash="67A8DF0F5962D4C93D4463BF79185F23502B8CEA" />
+    <Deny ID="ID_DENY_WINIO_44" FriendlyName="WinIO\1f868677f2e6afd63b974908f793307a91329a6a413cfd726e85185507401afb Hash Sha256" Hash="1E93ACD7C0ACCE3C39AC6303A8D914B5F8556C7C1E10EFDBBA18CCF75A41F36E" />
+    <Deny ID="ID_DENY_WINIO_45" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Sha1" Hash="7BCF1C28DEED9ECAD5DFBEC3A111297673C33AA7" />
+    <Deny ID="ID_DENY_WINIO_46" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Sha256" Hash="6A4E037EE84F83D3A4E84C35F09AE26D42F347FEC8ECF525553962EC24CEB2BE" />
+    <Deny ID="ID_DENY_WINIO_47" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Page Sha1" Hash="B23D319DBE769BF8DB0D5217A3523553072830E3" />
+    <Deny ID="ID_DENY_WINIO_48" FriendlyName="WinIO\2e8c28298890f1684be3827bcdb0746a124a0ffe58d1c9a4c361c2e8b13cf735 Hash Page Sha256" Hash="F0158C28986F4A806F127DB70720462D8EF07F8EB7A7B8DE698896993365B517" />
+    <Deny ID="ID_DENY_WINIO_49" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Sha1" Hash="FDF79660BAE9C9DD54509FEC6C9F0E0A9BB2C1D5" />
+    <Deny ID="ID_DENY_WINIO_50" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Sha256" Hash="FF40D6714AC9C59A6D0E3A155586D6C51A3457F77BA1E2858D9804A0318178E7" />
+    <Deny ID="ID_DENY_WINIO_51" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Page Sha1" Hash="65EC6A3DB695FCD94DF5C8B41EEF67DE02031C96" />
+    <Deny ID="ID_DENY_WINIO_52" FriendlyName="WinIO\385660a65e69b3bf9ac5c2ae4cadbb1e07f366e1807979bf7a915e40e9480f8b Hash Page Sha256" Hash="F74C91893BE76BE735CDBCA522405D0AE055326AE7D7082907FE1447FA196F2C" />
+    <Deny ID="ID_DENY_WINIO_53" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Sha1" Hash="8E93E37A72A13DAC1C4C0BC1DA6BDFB8BA8D9CB3" />
+    <Deny ID="ID_DENY_WINIO_54" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Sha256" Hash="5B6C10E103D42B17E5DDD6BEEC295BBF51CE56547134CE8D675A008A8243F615" />
+    <Deny ID="ID_DENY_WINIO_55" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Page Sha1" Hash="746414A878978FA039A6521F392167913CEA7C8D" />
+    <Deny ID="ID_DENY_WINIO_56" FriendlyName="WinIO\42322b59f75f3ee3f66d080433c01fe024ca9ce5cbd3acac8a98394ac2a0d659 Hash Page Sha256" Hash="45DFA3B42C2789A741C5F29862A8CFC5998D889F96C5783C1A27AC03DE1A407A" />
+    <Deny ID="ID_DENY_WINIO_57" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Sha1" Hash="DB70C4C4BE791955F33977D85B30D9624E9270E3" />
+    <Deny ID="ID_DENY_WINIO_58" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Sha256" Hash="9F44E5C897EE06D92E7BEDC713DD369D85E084959C69CEEC25663A599FF5D5F8" />
+    <Deny ID="ID_DENY_WINIO_59" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Page Sha1" Hash="AAB02F7A7931442D2F46330E069ABF9B59DB3F3D" />
+    <Deny ID="ID_DENY_WINIO_60" FriendlyName="WinIO\8d5466ccce64de5beccc373e0c878ca3e624ed78d359f76aae32de4df5afce18 Hash Page Sha256" Hash="9185576B594D33290237E72841F56D36A4F0D6668EC9094FB45C1F3957DF6A0C" />
+    <Deny ID="ID_DENY_WINIO_61" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Sha1" Hash="789C851AF232506F62BE108799065219427861C2" />
+    <Deny ID="ID_DENY_WINIO_62" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Sha256" Hash="D6399E43E24E4D2348008645F6E2176AEB2F0244A5E17028C152D87617E7BD0D" />
+    <Deny ID="ID_DENY_WINIO_63" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Page Sha1" Hash="5E699DF6F458A11CD8C2D59D083D2CA38A25F876" />
+    <Deny ID="ID_DENY_WINIO_64" FriendlyName="WinIO\9ef6eb93e504351d710b88fd5ec68ef2e0b757ea364341e715b0076dc559b54a Hash Page Sha256" Hash="E6E5B6C064338FBB222221EF3A8DEBE60E4ED0AAECCB5B03FECD0DC595AB3FC9" />
+    <Deny ID="ID_DENY_WINIO_65" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Sha1" Hash="651B953CB03928E41424AD59F21D4978D6F4952E" />
+    <Deny ID="ID_DENY_WINIO_66" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Sha256" Hash="EBBAA44277A3EC6E20AD3F6AEF5399FDC398306EB4C13AA96E45C9A281820A12" />
+    <Deny ID="ID_DENY_WINIO_67" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Page Sha1" Hash="3727D824713E733558A20DE9876AABF1059D3158" />
+    <Deny ID="ID_DENY_WINIO_68" FriendlyName="WinIO\9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374 Hash Page Sha256" Hash="88C83F618C8F4069DED87C409A8446C5A30E22A303E64AAFF1C5BE6302ADEDB4" />
+    <Deny ID="ID_DENY_WINIO_69" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Sha1" Hash="8522BD30B4028C43B747C96665F60AB920F341EA" />
+    <Deny ID="ID_DENY_WINIO_70" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Sha256" Hash="48EC0783D0A2AAF4956102479BA4DDFE9F760066D00E1C5B7F022A084951DC73" />
+    <Deny ID="ID_DENY_WINIO_71" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Page Sha1" Hash="9808DE8670677522E87FFEF1593D220E3619C7B9" />
+    <Deny ID="ID_DENY_WINIO_72" FriendlyName="WinIO\be929ae99015fafa0ab55cb475035e8c1359db1b61e00507defc1919a3538385 Hash Page Sha256" Hash="BC54AF722F57C3BD11EDAEDBF5979AA8D8A388A2D94E80E9E26311B61A11529A" />
+    <Deny ID="ID_DENY_WINIO_73" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Sha1" Hash="660DC4007F3C667BA97736C3C9A5E038CB473EE0" />
+    <Deny ID="ID_DENY_WINIO_74" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Sha256" Hash="669FF9649C66B4C61BD97EC4A83D6EBC8DA7736C039B2741D4E2D8310039977A" />
+    <Deny ID="ID_DENY_WINIO_75" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Page Sha1" Hash="118777DD5E34BDCE01B2A0C6720A4EB9DC4FEFFF" />
+    <Deny ID="ID_DENY_WINIO_76" FriendlyName="WinIO\d6518cb6dc0cfdfefb9e2210e3de18867748a77153fa11bc7263cdbc58919815 Hash Page Sha256" Hash="E686804D2FF9ACEAD443A0B66DACD1780E4041A0ACAEDB3A78B91F52DCFF4824" />
+    <Deny ID="ID_DENY_WINIO_77" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Sha1" Hash="4AF05BCCDD9A1FFCF3DAF4DFE4A00FE6F1F257BE" />
+    <Deny ID="ID_DENY_WINIO_78" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Sha256" Hash="059EFDB03556258C34B6CB26FF4679DC7CD4CB797190FDDDF373B3F701EE55B7" />
+    <Deny ID="ID_DENY_WINIO_79" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Page Sha1" Hash="468B16FD87C346A1F5B11BDE450673F1D8866619" />
+    <Deny ID="ID_DENY_WINIO_80" FriendlyName="WinIO\db4a5b87db97167c70e98014a12ac324866cf643cee65d3b3cda0b33add34d2f Hash Page Sha256" Hash="186D287B669D813A727CBAAACDAA291FA1F16B1599122BA869622AE0C920F6B9" />
+    <Deny ID="ID_DENY_WINIO_81" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Sha1" Hash="7B3DB7D11456209A266F077F8E2D2B90E4F9118D" />
+    <Deny ID="ID_DENY_WINIO_82" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Sha256" Hash="2EBB1FE5DCEF9EC8629D56D30DDBA27D112C2CBFCED936D235FCDF078846DDC6" />
+    <Deny ID="ID_DENY_WINIO_83" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Page Sha1" Hash="929749666A53B35CC75A21B19C65E54671CC751E" />
+    <Deny ID="ID_DENY_WINIO_84" FriendlyName="WinIO\f4acfebd83a351029dd812a0e40b44f5362f31ae80b6ae0b2fa2241687d34912 Hash Page Sha256" Hash="C39AB8DC5E4DA02FA2309B83FF4FDF63AEF20F33018DFDEFB7B0B12B92CFE86E" />
     <Deny ID="ID_DENY_WINRING0_SHA1" FriendlyName="WinRing0.sys Hash Sha1" Hash="12EB825418A932B1E4C6697DC7647E89AE52CF3F" />
     <Deny ID="ID_DENY_WINRING0_SHA256" FriendlyName="WinRing0.sys Hash Sha256" Hash="4582ADB2E67EEBAFF755AE740C1F24BC3AF78E0F28E8E8DECB99F86BF155AB23" />
     <Deny ID="ID_DENY_WINRING0_SHA1_PAGE" FriendlyName="WinRing0.sys Hash Page Sha1" Hash="497AFEB0D5B97D4B863704A2F77FFEF31220402D" />
@@ -1154,11 +1361,13 @@ To check that the policy was successfully applied on your computer:
     <Deny ID="ID_DENY_PCHUNTER_1" FriendlyName="PCHunter Driver" FileName="PCHunter.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <Deny ID="ID_DENY_PCHUNTER_2" FriendlyName="PCHunter Driver" FileName="安全专用" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <Deny ID="ID_DENY_PHYMEMX_64" FriendlyName="Phymemx64 Memory Mapping Driver" FileName="phymemx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_ALSYSIO" FriendlyName="ALSysIO\01af9b2e49907308312be623a125a4cd71da9e626a54dfa746336e5d69c0a70a FileAttribute" FileName="ALSysIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="2.0.10.65535" />
     <FileAttrib ID="ID_FILEATTRIB_AMD_RYZEN" FriendlyName="amdryzenmaster.sys" FileName="AMDRyzenMasterDriver.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.5.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_AMDPP" FriendlyName="AMDPowerProfiler.sys FileAttribute" FileName="AMDPowerProfiler.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.1.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_ASR_AUTOCHECK_1" FriendlyName="ASRAutoCheck\2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4 FileAttribute" FileName="AsrAutoChkUpdDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_ASR_AUTOCHECK_2" FriendlyName="ASRAutoCheck\4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe FileAttribute" FileName="AsrAutoChkUpdDrv_1_0_32.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_ASWARPOT" FriendlyName="Avast aswArpot FileAttribute" FileName="aswArPot.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.4.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_ASWSP" FriendlyName="Avast aswSP.sys\1dccd1e13da17bd541a66b48d62e914df390818c15f5f599c636d42c05996ace FileAttribute" FileName="aswSP.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="20.8.0.0"/>
     <FileAttrib ID="ID_FILEATTRIB_ASWSNX" FriendlyName="Aswsnx FileAttribute" FileName="aswSnx.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="17.1.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_ATILLK" FriendlyName="atillk64 FileAttribute" FileName="atillk64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_ATSZIO" FriendlyName="ATSZIO.sys FileAttribute" FileName="ATSZIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@@ -1171,15 +1380,17 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_BS_RCIO_W10" FriendlyName="BS_RCIO\7c6f16af074c3f1c74fc69734f1c8b8a03b0594ac2085d5a0c582fc8cc378858 FileAttribute" FileName="BS_RCIO64_W10.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_BS_MEM" FriendlyName="BSMEM64_W10 FileAttribute" FileName="BSMEM64_W10.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.1806.2201" />
     <FileAttrib ID="ID_FILEATTRIB_BSMI" FriendlyName="" FileName="BSMI.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.3" />
-    <FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
+    <FileAttrib ID="ID_FILEATTRIB_CORSAIRLLACCESS" FriendlyName="CorsairLLAccess\000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b FileAttribute" FileName="Corsair LL Access" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.23.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="CPUID cpuz.sys\1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.5.6" />
     <FileAttrib ID="ID_FILEATTRIB_CTIIO" FriendlyName="MicSys CtiIo\2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109 FileAttribute" FileName="CtiIo64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.1.23.0405" />
     <FileAttrib ID="ID_FILEATTRIB_DRIVER7" FriendlyName="Asus driver7.sys\1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb FileAttribute" FileName="Driver7" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
     <FileAttrib ID="ID_FILEATTRIB_EIO64" FriendlyName="ASUS EIO64.sys\1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718 FileAttribute" FileName="EIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
     <FileAttrib ID="ID_FILEATTRIB_EELAM" FriendlyName="ESET eelam Overpermissive ELAM FileAttribute" FileName="eelam.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.16.0" />
     <FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
+    <FileAttrib ID="ID_FILEATTRIB_ETDSUPPORT" FriendlyName="HP EtdSupport\0d383e469d0e27ebb713770f01f7f1a57068a7d30478221e6f2276125048d1c9 FileAttribute" FileName="etdsupp.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="20.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_FAIRPLAY" FriendlyName="Deny FairplayKD.sys MTA San Andreas Versions 367.*" ProductName="MTA San Andreas" MinimumFileVersion="367.0.0.0" MaximumFileVersion="367.65535.65535.65535"/>
     <FileAttrib ID="ID_FILEATTRIB_GMER" FriendlyName="GMEREK gmer64 FileAttribute" FileName="gmer64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
-    <FileAttrib ID="ID_FILEATTRIB_HAXM" FriendlyName="haXM.sys FileAttribute" FileName="HaXM.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_HAXM" FriendlyName="haXM.sys FileAttribute" FileName="HaXM.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_HPPORTIOX64" FriendlyName="HpPortIox64.sys" FileName="HpPortIox64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.2.0.9" />
     <FileAttrib ID="ID_FILEATTRIB_HW" FriendlyName="hw_sys\4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8 FileAttribute" FileName="HW.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_HWINFO_1" FriendlyName="REALiX_HWiNFO32 FileAttribute" FileName="HWiNFO32.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.98.0.0" />
@@ -1187,7 +1398,8 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_HWINFO_3" FriendlyName="REALiX_HWiNFO64I FileAttribute" FileName="HWiNFO64I.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.98.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_HWRWDRV" FriendlyName="HwRwDrv FileAttribute" FileName="HwRwDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_IOBITUNLOCKER" FriendlyName="IObitUnlocker FileAttribute" FileName="IObitUnlocker.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.3.0.0" />
-    <FileAttrib ID="ID_FILEATTRIB_IQVW64" FriendlyName="IQVW64.sys FileAttribute" FileName="iQVW64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.4.0.0" />
+    <FileAttrib ID="ID_FILEATTRIB_IOMEM" FriendlyName="DT Research iomem\2b507e0ad4515d9d47fb7f0bfa1f1eb11de25db4fca49fc1417ea991dc33b6bf FileAttribute" FileName="iomem.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
+    <FileAttrib ID="ID_FILEATTRIB_IQVW64" FriendlyName="IQVW64.sys FileAttribute" FileName="iQVW64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.4.0.21" />
     <FileAttrib ID="ID_FILEATTRIB_KEVP64" FriendlyName="kevp64.sys FileAttribute" FileName="kEvP64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_LGCORETEMP" FriendlyName="LogiTech LgCoreTemp\93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131 FileAttribute" FileName="LgCoreTemp.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_LHA" FriendlyName="LHA.sys FileAttribute" FileName="LHA.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@@ -1195,7 +1407,7 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_LV_DIAG" FriendlyName="LenovoDiagnosticsDriver FileAttribute" FileName="LenovoDiagnosticsDriver.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="2.0.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_LV561V64" FriendlyName="LV561V64 LogiTech FileAttribute" FileName="Lv561av.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_MONITOR" FriendlyName="IOBit Monitor.sys FileAttribute" FileName="Monitor.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="15.0.0.2" />
-    <FileAttrib ID="ID_FILEATTRIB_MSIO" FriendlyName="MicSys MSIO\0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff FileAttribute" FileName="MsIo64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.3.23.0405" />
+    <FileAttrib ID="ID_FILEATTRIB_MSIO" FriendlyName="MicSys MSIO\0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff FileAttribute" FileName="MsIo64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_MTCBSV64" FriendlyName="mtcBSv64.sys FileAttribute" FileName="mtcBSv64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.2.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_MYDRIVERS" FriendlyName="mydrivers.sys FileAttribute" FileName="mydrivers.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_NCHGBIOS2X64" FriendlyName="" FileName="NCHGBIOS2x64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.2.4.0" />
@@ -1203,6 +1415,7 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_NICM_DRIVER" FriendlyName="" FileName="NICM.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.11.0" />
     <FileAttrib ID="ID_FILEATTRIB_NSCM_DRIVER" FriendlyName="" FileName="nscm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.11.0" />
     <FileAttrib ID="ID_FILEATTRIB_NTIOLIB" FriendlyName="" FileName="NTIOLib.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
+    <FileAttrib ID="ID_FILEATTRIB_NVOCLOCK" FriendlyName="Nvidia nvoclock\29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36 FileAttribute" FileName="nvoclock.sys" MinimumFileVersion="7.0.0.32" />
     <FileAttrib ID="ID_FILEATTRIB_NVFLASH" FriendlyName="Nvidia NVFlash FileAttribute" FileName="nvflash.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.9.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_OPENLIBSYS" FriendlyName="OpenLibSys\91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c FileAttribute" FileName="OpenLibSys.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_PANIO_1" FriendlyName="PanIOx64\6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74 FileAttribute" FileName="PanIOx64.sys" MinimumFileVersion="1.0.0.1" />
@@ -1224,6 +1437,8 @@ To check that the policy was successfully applied on your computer:
     <FileAttrib ID="ID_FILEATTRIB_SANDRA_DRIVER" FriendlyName="" FileName="sandra.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_SEGWINDRVX64" FriendlyName="segwindrvx64.sys FileAttribute" FileName="segwindrvx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="100.0.7.2" />
     <FileAttrib ID="ID_FILEATTRIB_SUPERBMC" FriendlyName="Superbmc FileAttribute" FileName="superbmc.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="2.2.1.0" />
+    <FileAttrib ID="ID_FILEATTRIB_SYMELAM" FriendlyName="SymELAM\021badff5a3c84ee422d9fa40a842f89b1c60e0164eabd58da7374327ea99d3c FileAttribute" FileName="SymELAM.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="2.4.0.83" />
+    <FileAttrib ID="ID_FILEATTRIB_SYSDRV3S" FriendlyName="SysDrv3s\0dd9daf0852a5b1b436199e9f2bf318f641f43173ab0dc22ad8c7e9cbaee9ad3 FileAttribute" FileName="SysDrv3S.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.6.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_TMEL" FriendlyName="TrendMicro TMEL Overpermissive ELAM FileAttribute" FileName="Tmel.sys" MinimumFileVersion="1.6.0.1002" MaximumFileVersion="1.6.0.1004" />
     <FileAttrib ID="ID_FILEATTRIB_TREND_MICRO" FriendlyName="TmComm.sys" FileName="TmComm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.0.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
@@ -1243,12 +1458,15 @@ To check that the policy was successfully applied on your computer:
     <Signer ID="ID_SIGNER_VERISIGN_2010" Name="VeriSign Class 3 Code Signing 2010 CA">
       <CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
       <FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ASWSP" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ASR_AUTOCHECK_1" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ASR_AUTOCHECK_2" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ASWSNX" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ATSZIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_DRIVER7" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ETDSUPPORT" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_IOMEM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_KEVP64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_LHA" />
@@ -1310,6 +1528,7 @@ To check that the policy was successfully applied on your computer:
       <FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NVOCLOCK" />
       <FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NCHGBIOS2X64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
@@ -1373,6 +1592,8 @@ To check that the policy was successfully applied on your computer:
       <FileAttribRef RuleID="ID_FILEATTRIB_AMD_RYZEN" />
       <FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ASWSNX" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ASWSP" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ETDSUPPORT" />
       <FileAttribRef RuleID="ID_FILEATTRIB_HWRWDRV" />
       <FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
@@ -1388,11 +1609,13 @@ To check that the policy was successfully applied on your computer:
     <Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2014" Name="Microsoft Windows Third Party Component CA 2014">
       <CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
       <CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ALSYSIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ASWSNX" />
       <FileAttribRef RuleID="ID_FILEATTRIB_BS_HWMIO64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_BS_MEM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO_W10" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_CORSAIRLLACCESS" />
       <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_CTIIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_HAXM" />
@@ -1411,6 +1634,7 @@ To check that the policy was successfully applied on your computer:
       <FileAttribRef RuleID="ID_FILEATTRIB_RTKIO_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_RTKIOW10X64_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_RZPNK" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_SYSDRV3S" />
       <FileAttribRef RuleID="ID_FILEATTRIB_VIRAGT" />
       <FileAttribRef RuleID="ID_FILEATTRIB_VIRAGT64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_VMDRV" />
@@ -1424,9 +1648,11 @@ To check that the policy was successfully applied on your computer:
     </Signer>
     <Signer ID="ID_SIGNER_VERISIGN_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
       <CertRoot Type="TBS" Value="C7FC1727F5B75A6421A1F95C73BBDB23580C48E5" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ALSYSIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_MTCBSV64" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NVOCLOCK" />
       <FileAttribRef RuleID="ID_FILEATTRIB_PCDOC" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ZEMANA_1" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ZEMANA_2" />
@@ -1491,6 +1717,7 @@ To check that the policy was successfully applied on your computer:
     <Signer ID="ID_SIGNER_SYMANTEC_CLASS_3" Name="Symantec Class 3 SHA256 Code Signing CA">
       <CertRoot Type="TBS" Value="A08E79C386083D875014C409C13D144E0A24386132980DF11FF59737C8489EB1" />
       <FileAttribRef RuleID="ID_FILEATTRIB_AMD_RYZEN" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ASWSP" />
       <FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
       <FileAttribRef RuleID="ID_FILEATTRIB_LGCORETEMP" />
       <FileAttribRef RuleID="ID_FILEATTRIB_RZPNK" />
@@ -1772,12 +1999,14 @@ To check that the policy was successfully applied on your computer:
       <FileAttribRef RuleID="ID_FILEATTRIB_AVGELAM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_EELAM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_TMEL" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_SYMELAM" />
     </Signer>
     <Signer ID="ID_SIGNER_MS_ELAM_1" Name="Microsoft Code Signing PCA 2010">
       <CertRoot Type="TBS" Value="121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195" />
       <FileAttribRef RuleID="ID_FILEATTRIB_AVGELAM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_EELAM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_TMEL" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_SYMELAM" />
     </Signer>
     <Signer ID="ID_SIGNER_AVGELAM_1" Name="DigiCert High Assurance Code Signing CA-1">
       <CertRoot Type="TBS" Value="1D7E838ACCD498C2E5BA9373AF819EC097BB955C" />
@@ -1786,6 +2015,7 @@ To check that the policy was successfully applied on your computer:
     </Signer>
     <Signer ID="ID_SIGNER_AVGELAM_2" Name="DigiCert SHA2 Assured ID Code Signing CA">
       <CertRoot Type="TBS" Value="E767799478F64A34B3F53FF3BB9057FE1768F4AB178041B0DCC0FF1E210CBA65" />
+      <CertPublisher Value="AVAST Software s.r.o." />
       <FileAttribRef RuleID="ID_FILEATTRIB_AVGELAM" />
       <FileAttribRef RuleID="ID_FILEATTRIB_ASWSNX" />
     </Signer>
@@ -1909,6 +2139,53 @@ To check that the policy was successfully applied on your computer:
       <CertPublisher Value="PC-Doctor, Inc." />
       <FileAttribRef RuleID="ID_FILEATTRIB_PCDOC" />
     </Signer>
+    <Signer ID="ID_SIGNER_SYSDRV3S" Name="GlobalSign 3S-Smart">
+      <CertRoot Type="TBS" Value="BD1765C56594221373893EF26D97F88C144FB0E5A0111215B45D7239C3444DF7" />
+      <CertPublisher Value="3S-Smart Software Solutions GmbH" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_SYSDRV3S" />
+    </Signer>
+    <Signer ID="ID_SIGNER_PAVEL_Y_1" Name="DigiCert SHA2 Assured ID Code Signing CA">
+      <CertRoot Type="TBS" Value="E767799478F64A34B3F53FF3BB9057FE1768F4AB178041B0DCC0FF1E210CBA65" />
+      <CertPublisher Value="Pavel Yosifovich" />
+    </Signer>
+    <Signer ID="ID_SIGNER_PAVEL_Y_2" Name="DigiCert SHA2 High Assurance Code Signing CA">
+      <CertRoot Type="TBS" Value="0BF095B845B69928B5D7DFD1C42AE4F90FEB8DC97F7830598C93E848877021FB" />
+      <CertPublisher Value="Pavel Yosifovich" />
+    </Signer>
+    <Signer ID="ID_SIGNER_ALSYSIO_1" Name="COMODO RSA Code Signing CA">
+      <CertRoot Type="TBS" Value="4805A7E23D6C8FF5E149F197B744BCB2346E73F19A48835A2F64129183981109256B75EA371A331746D01FD4E135AB6E" />
+      <CertPublisher Value="ALCPU" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ALSYSIO" />
+    </Signer>
+    <Signer ID="ID_SIGNER_ALSYSIO_2" Name="UTN-USERFirst-Object">
+      <CertRoot Type="TBS" Value="C45627B5584BF62327DF60D6185744A2D2F2BCBF" />
+      <CertPublisher Value="ALCPU" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ALSYSIO" />
+    </Signer>
+    <Signer ID="ID_SIGNER_MICKS" Name="Microsoft Windows Third Party Component CA 2014">
+      <CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
+      <CertOemID Value="Micks Auto Transport" />
+    </Signer>
+    <Signer ID="ID_SIGNER_ETDSUPPORT" Name="DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1">
+      <CertRoot Type="TBS" Value="65B1D4076A89AE273F57E6EEEDECB3EAE129B4168F76FA7671914CDF461D542255C59D9B85B916AE0CA6FC0FCF7A8E64" />
+      <CertPublisher Value="HP Inc." />
+      <FileAttribRef RuleID="ID_FILEATTRIB_ETDSUPPORT" />
+    </Signer>
+    <Signer ID="ID_SIGNER_NVOCLOCK" Name="GeoTrust TrustCenter CodeSigning CA I">
+      <CertRoot Type="TBS" Value="172F39BCA3DDA7C6D5169C96B34A5FE7E96FF0BD" />
+      <CertPublisher Value="Micro-Star Int'l Co., Ltd." />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NVOCLOCK" />
+    </Signer>
+    <Signer ID="ID_SIGNER_CPUZ_1" Name="DigiCert EV Code Signing CA">
+      <CertRoot Type="TBS" Value="2D54C16A8F8B69CCDEA48D0603C132F547A5CF75" />
+      <CertPublisher Value="CPUID S.A.R.L.U." />
+      <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
+    </Signer>
+    <Signer ID="ID_SIGNER_CPUZ_2" Name="Certum Extended Validation Code Signing 2021 CA">
+      <CertRoot Type="TBS" Value="56F431D13FD6F7974905196A6367D252A955C5FE34DB1E48CFA3EB569707809D63DE4A0FF8FEF57BE69C23284D9144EA" />
+      <CertPublisher Value="CPUID" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
+    </Signer>
     <Signer ID="ID_SIGNER_BAOJI" Name="VeriSign Class 3 Code Signing 2010 CA - Baoji zhihengtaiye co.,ltd">
       <CertRoot Type="TBS" Value="ED37AD43BC52426943019F77F35ED1A6B063B5B7" />
     </Signer>
@@ -2011,6 +2288,8 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
           <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
           <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
+          <DeniedSigner SignerId="ID_SIGNER_ALSYSIO_1" />
+          <DeniedSigner SignerId="ID_SIGNER_ALSYSIO_2" />
           <DeniedSigner SignerId="ID_SIGNER_AMDPP" />
           <DeniedSigner SignerId="ID_SIGNER_ATILLK" />
           <DeniedSigner SignerId="ID_SIGNER_ASROCK_RWDRV" />
@@ -2032,9 +2311,12 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_CAPCOM" />
           <DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" />
           <DeniedSigner SignerId="ID_SIGNER_COMODO_IQVW" />
+          <DeniedSigner SignerId="ID_SIGNER_CPUZ_1" />
+          <DeniedSigner SignerId="ID_SIGNER_CPUZ_2" />
           <DeniedSigner SignerId="ID_SIGNER_DIGICERT_EV" />
           <DeniedSigner SignerId="ID_SIGNER_ELBY" />
           <DeniedSigner SignerId="ID_SIGNER_ENE" />
+          <DeniedSigner SignerId="ID_SIGNER_ETDSUPPORT" />
           <DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_1" />
           <DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_2" />
           <DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_3" />
@@ -2070,6 +2352,10 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_HWRWDRV_1" />
           <DeniedSigner SignerId="ID_SIGNER_HWRWDRV_2" />
           <DeniedSigner SignerId="ID_SIGNER_INTEL_IQVW" />
+          <DeniedSigner SignerId="ID_SIGNER_IOBITUNLOCKER_1" />
+          <DeniedSigner SignerId="ID_SIGNER_IOBITUNLOCKER_2" />
+          <DeniedSigner SignerId="ID_SIGNER_IOBITUNLOCKER_3" />
+          <DeniedSigner SignerId="ID_SIGNER_IOBITUNLOCKER_4" />
           <DeniedSigner SignerId="ID_SIGNER_JCOS_1" />
           <DeniedSigner SignerId="ID_SIGNER_JCOS_2" />
           <DeniedSigner SignerId="ID_SIGNER_JEROMIN_CODY_ERIC" />
@@ -2078,6 +2364,7 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_LV_LOGITECH" />
           <DeniedSigner SignerId="ID_SIGNER_MAN_MUS" />
           <DeniedSigner SignerId="ID_SIGNER_MB_RB_HACKS" />
+          <DeniedSigner SignerId="ID_SIGNER_MICKS" />
           <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
           <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
           <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
@@ -2090,8 +2377,11 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_NVFLASH" />
           <DeniedSigner SignerId="ID_SIGNER_NVFLASH_2" />
           <DeniedSigner SignerId="ID_SIGNER_NVFLASH_3" />
+          <DeniedSigner SignerId="ID_SIGNER_NVOCLOCK" />
           <DeniedSigner SignerId="ID_SIGNER_OPENLIBSYS"/>
           <DeniedSigner SignerId="ID_SIGNER_PAN" />
+          <DeniedSigner SignerId="ID_SIGNER_PAVEL_Y_1" />
+          <DeniedSigner SignerId="ID_SIGNER_PAVEL_Y_2" />
           <DeniedSigner SignerId="ID_SIGNER_PHYSMEM" />
           <DeniedSigner SignerId="ID_SIGNER_PCDOC"/>
           <DeniedSigner SignerId="ID_SIGNER_PROCEXP_1" />
@@ -2105,6 +2395,7 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_SANDRA" />
           <DeniedSigner SignerId="ID_SIGNER_SANDRA_THAWTE" />
           <DeniedSigner SignerId="ID_SIGNER_SPEEDFAN" />
+          <DeniedSigner SignerId="ID_SIGNER_SYSDRV3S" />
           <DeniedSigner SignerId="ID_SIGNER_PHYMEM" />
           <DeniedSigner SignerId="ID_SIGNER_PHYMEM_1" />
           <DeniedSigner SignerId="ID_SIGNER_PHYMEM_2" />
@@ -2146,1055 +2437,1261 @@ To check that the policy was successfully applied on your computer:
           <DeniedSigner SignerId="ID_SIGNER_ZEMANA_3" />
         </DeniedSigners>
         <FileRulesRef>
-            <FileRuleRef RuleID="ID_ALLOW_ALL_1" />
-            <FileRuleRef RuleID="ID_DENY_AGENT64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_AGENT64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_AGENT64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_AGENT64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_PAGE_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_PAGE_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_PAGE_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_PAGE_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_PAGE_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_PAGE_1" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_PAGE_2" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_PAGE_2" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_5A" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_5B" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_5C" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_5D" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_5E" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_5F" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_60" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_61" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_62" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_63" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_64" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_65" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_66" />
-            <FileRuleRef RuleID="ID_DENY_ASRDRV104_67" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_39" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3A" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3B" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3C" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3D" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3E" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3F" />
-            <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_40" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_2" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_3" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_4" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_5" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_6" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_7" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_8" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_9" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_A" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_B" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_C" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_D" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_E" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_F" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_10" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_11" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_12" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_13" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_14" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_15" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_16" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_17" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_18" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_19" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_1A" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_1B" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_1C" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_1D" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_1E" />
-            <FileRuleRef RuleID="ID_DENY_ATILLK_1F" />
-            <FileRuleRef RuleID="ID_DENY_BANDAI_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BANDAI_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_3" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_4" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_5" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_6" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_7" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_8" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_9" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_A" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_B" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_C" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_D" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_E" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_F" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_10" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_11" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_12" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_13" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_14" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_15" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_16" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_17" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_18" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_19" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1A" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1B" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1C" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1D" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1E" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1F" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_20" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_21" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_22" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_23" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_24" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_25" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_26" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_27" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_28" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_29" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2A" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2B" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2C" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2D" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2E" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2F" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_30" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_31" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_32" />
-            <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_33" />
-            <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_GMER_1" />
-            <FileRuleRef RuleID="ID_DENY_GMER_2" />
-            <FileRuleRef RuleID="ID_DENY_GMER_3" />
-            <FileRuleRef RuleID="ID_DENY_GMER_4" />
-            <FileRuleRef RuleID="ID_DENY_GMER_5" />
-            <FileRuleRef RuleID="ID_DENY_GMER_6" />
-            <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_3" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_4" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_5" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_6" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_7" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_8" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_9" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_A" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_B" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_C" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_11" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_12" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_13" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_14" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_15" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_16" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_17" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_18" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_19" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1A" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1B" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1C" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1D" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1E" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1F" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_20" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_21" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_22" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_23" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_24" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_25" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_26" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_27" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_28" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_29" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2A" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2B" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2C" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2D" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2E" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2F" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_30" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_31" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_32" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_33" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_34" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_35" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_36" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_37" />
-            <FileRuleRef RuleID="ID_DENY_AMIFLDRV_38" />
-            <FileRuleRef RuleID="ID_DENY_ASIO_1"/>
-            <FileRuleRef RuleID="ID_DENY_ASIO_2"/>
-            <FileRuleRef RuleID="ID_DENY_ASIO_3"/>
-            <FileRuleRef RuleID="ID_DENY_ASIO_4"/>
-            <FileRuleRef RuleID="ID_DENY_ASIO_5"/>
-            <FileRuleRef RuleID="ID_DENY_ASIO_6"/>
-            <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_22" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_23" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_24" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_25" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_26" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_27" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_28" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_29" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_2A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_2B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_2C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_2D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_2E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_2F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_30" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_31" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_32" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_33" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_34" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_35" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_36" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_37" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_38" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_39" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_3A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_3B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_3C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_3D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_3E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_3F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_40" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_41" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_42" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_43" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_44" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_45" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_46" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_47" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_48" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_49" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_4A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_4B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_4C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_4D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_4E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_4F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_50" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_51" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_52" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_53" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_54" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_55" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_56" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_57" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_58" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_59" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_5A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_5B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_5C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_5D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_5E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_5F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_60" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_61" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_62" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_63" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_64" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_65" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_66" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_67" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_68" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_69" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_6A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_6B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_6C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_6D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_6E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_6F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_70" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_71" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_72" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_73" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_74" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_75" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_76" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_77" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_78" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_79" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_7A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_7B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_7C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_7D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_7E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_7F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_80" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_81" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_82" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_83" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_84" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_85" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_86" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_87" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_88" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_89" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_8A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_8B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_8C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_8D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_8E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_8F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_90" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_91" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_92" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_93" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_94" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_95" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_96" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_97" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_98" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_99" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_9A" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_9B" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_9C" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_9D" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_9E" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_9F" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A0" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A1" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A2" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A3" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A4" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A5" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A6" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A7" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A8" />
-            <FileRuleRef RuleID="ID_DENY_BEDAISY_A9" />
-            <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1_1" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256_1" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1_PAGE_1" />
-            <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256_PAGE_1" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_08" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_09" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_10" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_11" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_12" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_13" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_14" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_15" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_16" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_17" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_18" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_19" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_1A" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_1B" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_1C" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_1D" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_1E" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_1F" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_20" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_21" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_22" />
-            <FileRuleRef RuleID="ID_DENY_BS_RCIO_23" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_1" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_2" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_3" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_4" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_5" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_6" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_8" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_9" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_10"/>
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_11" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_12" />
-            <FileRuleRef RuleID="ID_DENY_DHKERNEL_13" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_12" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_13" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_14" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_15" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_16" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_17" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_18" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_19" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_1A" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_1B" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_1C" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_1D" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_1E" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_1F" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_20" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_21" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_22" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_23" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_24" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_25" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_26" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_27" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_28" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_29" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_2A" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_2B" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_2C" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_2D" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_2E" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_2F" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_30" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_31" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_32" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_33" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_34" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_35" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_36" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_37" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_38" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_39" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_3A" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_3B" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_42" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_43" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_44" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_45" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_46" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_47" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_48" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_49" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_4A" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_4B" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_4C" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_4D" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_4E" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_4F" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_50" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_51" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_52" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_53" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_54" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_55" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_56" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_57" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_58" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_59" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_5A" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_5B" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_5C" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_5D" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_5E" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_5F" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_60" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_61" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_62" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_63" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_64" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_65" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_66" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_67" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_68" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_69" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_6A" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_6B" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_6C" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_6D" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_6E" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_6F" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_70" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_71" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_72" />
-            <FileRuleRef RuleID="ID_DENY_DIRECTIO_73" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_1" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_2" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_3" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_4" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_5" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_6" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_7" />
-            <FileRuleRef RuleID="ID_DENY_EIO64_8" />
-            <FileRuleRef RuleID="ID_DENY_HW_22" />
-            <FileRuleRef RuleID="ID_DENY_HW_23" />
-            <FileRuleRef RuleID="ID_DENY_HW_24" />
-            <FileRuleRef RuleID="ID_DENY_HW_25" />
-            <FileRuleRef RuleID="ID_DENY_HWRWDRV_2" />
-            <FileRuleRef RuleID="ID_DENY_HWRWDRV_3" />
-            <FileRuleRef RuleID="ID_DENY_HWRWDRV_4" />
-            <FileRuleRef RuleID="ID_DENY_HWRWDRV_5" />
-            <FileRuleRef RuleID="ID_DENY_HWRWDRV_6" />
-            <FileRuleRef RuleID="ID_DENY_HWRWDRV_7" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_11" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_12" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_13" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_14" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_15" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_16" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_17" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_18" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_19" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_1A" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_1B" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_1C" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_1D" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_1E" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_1F" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_20" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_21" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_22" />
-            <FileRuleRef RuleID="ID_DENY_INPOUTX_23" />
-            <FileRuleRef RuleID="ID_DENY_KLMD" />
-            <FileRuleRef RuleID="ID_DENY_LGCORETEMP_1" />
-            <FileRuleRef RuleID="ID_DENY_LGCORETEMP_2" />
-            <FileRuleRef RuleID="ID_DENY_LGCORETEMP_3" />
-            <FileRuleRef RuleID="ID_DENY_LGCORETEMP_4" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_1" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_2" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_3" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_4" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_5" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_6" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_7" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_8" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_9" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_A" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_B" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_C" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_D" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_E" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_F" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_10" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_11" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_12" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_13" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_14" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_15" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_16" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_17" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_18" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_19" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_1A" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_1B" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT2_1C" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_11" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_12" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_13" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_14" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_15" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_16" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_17" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_18" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_19" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_1A" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_1B" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_1C" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_1D" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_1E" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_1F" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_20" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_21" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROT3_22" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_1" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_2" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_3" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_4" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_5" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_6" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_7" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTECT_8" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_1" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_2" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_3" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_4" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_1" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_2" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_3" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_4" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_5" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_6" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_7" />
-            <FileRuleRef RuleID="ID_DENY_MHYPROTRG_8" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_1" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_2" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_3" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_4" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_5" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_6" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_7" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_8" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_9" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_10" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_11" />
-            <FileRuleRef RuleID="ID_DENY_MSIO_12" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_6" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_7" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_8" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_9" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_C" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_D" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_E" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_F" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_10" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_11" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_12" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_13" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_14" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_15" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_16" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_17" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_18" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_19" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1C" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1D" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1E" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_1F" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_20" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_21" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_22" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_23" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_24" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_25" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_26" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_27" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_28" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_29" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2C" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2D" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2E" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_2F" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_30" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_31" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_32" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_33" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_34" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_35" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_36" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_37" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_38" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_39" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3C" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3D" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3E" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_3F" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_40" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_41" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_42" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_43" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_44" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_45" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_46" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_47" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_48" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_49" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4C" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4D" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4E" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_4F" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_50" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_51" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_52" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_53" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_54" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_55" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_56" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_57" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_58" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_59" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5C" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5D" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5E" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_5F" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_60" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_61" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_62" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_63" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_64" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_65" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_66" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_67" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_68" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_69" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_6A" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_6B" />
-            <FileRuleRef RuleID="ID_DENY_NVFLASH_6C" />
-            <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_1" />
-            <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_2" />
-            <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_3" />
-            <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_4" />
-            <FileRuleRef RuleID="ID_DENY_PCHUNTER_3" />
-            <FileRuleRef RuleID="ID_DENY_PCHUNTER_4" />
-            <FileRuleRef RuleID="ID_DENY_PCHUNTER_5" />
-            <FileRuleRef RuleID="ID_DENY_PCHUNTER_6" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_PHYDMACC_1" />
-            <FileRuleRef RuleID="ID_DENY_PHYDMACC_2" />
-            <FileRuleRef RuleID="ID_DENY_PHYDMACC_3" />
-            <FileRuleRef RuleID="ID_DENY_PHYDMACC_4" />
-            <FileRuleRef RuleID="ID_DENY_PHYDMACC_5" />
-            <FileRuleRef RuleID="ID_DENY_PHYDMACC_6" />
-            <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_WINRING0_SHA1" />
-            <FileRuleRef RuleID="ID_DENY_WINRING0_SHA256" />
-            <FileRuleRef RuleID="ID_DENY_WINRING0_SHA1_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_WINRING0_SHA256_PAGE" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_1" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_2" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_3" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_4" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_5" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_6" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_7" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_8" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_9" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_10" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_11" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_12" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_13" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_14" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_15" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_16" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_17" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_18" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_19" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_20" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_21" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_22" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_23" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_24" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_25" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_26" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_27" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_28" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_29" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_30" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_31" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_32" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_33" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_34" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_35" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_36" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_37" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_38" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_39" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_40" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_41" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_42" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_43" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_44" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_45" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_46" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_47" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_48" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_49" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_50" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_51" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_52" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_53" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_54" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_55" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_56" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_57" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_58" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_59" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_60" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_61" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_62" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_63" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_64" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_65" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_66" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_67" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_68" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_69" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_70" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_71" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_72" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_1" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_2" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_3" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_4" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_5" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_6" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_7" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_8" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_9" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_10" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_11" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_12" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_13" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_14" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_15" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_16" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_17" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_18" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_19" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_20" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_21" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_22" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_23" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_24" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_25" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_26" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_27" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_28" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_29" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_30" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_31" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_32" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_33" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_34" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_35" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_36" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_37" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_38" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_39" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_40" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_41" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_42" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_43" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_44" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_45" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_46" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_47" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_48" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_49" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_50" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_51" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_52" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_53" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_54" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_55" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_56" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_57" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_58" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_59" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_60" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_61" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_62" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_63" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_64" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_65" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_66" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_67" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_68" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_69" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_70" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_71" />
-            <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_72" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_29" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_2A" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_2B" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_2C" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_2D" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_2E" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_2F" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_30" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_31" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_32" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_33" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_34" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_35" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_36" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_37" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_38" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_39" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_3A" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_3B" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_3C" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_3D" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_3E" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_3F" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_40" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_41" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_42" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_43" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_44" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_45" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_46" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_47" />
-            <FileRuleRef RuleID="ID_DENY_RTCORE_48" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_2" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_3" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_4" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_5" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_6" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_7" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_8" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_9" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_A" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_B" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_C" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_D" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_E" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_F" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_10" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_11" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_12" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_13" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_14" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_15" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_16" />
-            <FileRuleRef RuleID="ID_DENY_SUPERBMC_17" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_1" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_2" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_3" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_4" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_5" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_6" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_7" />
-            <FileRuleRef RuleID="ID_DENY_SYSINFO_8" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_1" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_2" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_3" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_4" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_5" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_6" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_7" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_8" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_9" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_10" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_11" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_12" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_13" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_14" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_15" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_16" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_17" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_18" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_19" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_20" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_21" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_22" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_23" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_24" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_25" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_26" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_27" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_28" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_29" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_30" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_31" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_32" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_33" />
-            <FileRuleRef RuleID="ID_DENY_WINIO_34" />
-            <FileRuleRef RuleID="ID_DENY_PROCESSHACKER" />
-            <FileRuleRef RuleID="ID_DENY_AMP" />
-            <FileRuleRef RuleID="ID_DENY_ASMMAP" />
-            <FileRuleRef RuleID="ID_DENY_ASMMAP_64" />
-            <FileRuleRef RuleID="ID_DENY_DBK_32" />
-            <FileRuleRef RuleID="ID_DENY_DBK_64" />
-            <FileRuleRef RuleID="ID_DENY_GDRV" />
-            <FileRuleRef RuleID="ID_DENY_PCHUNTER_1" />
-            <FileRuleRef RuleID="ID_DENY_PCHUNTER_2" />
-            <FileRuleRef RuleID="ID_DENY_PHYMEMX_64" />
+          <FileRuleRef RuleID="ID_ALLOW_ALL_1" />
+          <FileRuleRef RuleID="ID_DENY_AGENT64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_AGENT64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_AGENT64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_AGENT64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA1_PAGE_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_32_SHA256_PAGE_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA1_PAGE_2" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_64_SHA256_PAGE_2" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV10_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV101_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV102_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV103_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_5A" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_5B" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_5C" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_5D" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_5E" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_5F" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_60" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_61" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_62" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_63" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_64" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_65" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_66" />
+          <FileRuleRef RuleID="ID_DENY_ASRDRV104_67" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_39" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3A" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3B" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3C" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3D" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3E" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_3F" />
+          <FileRuleRef RuleID="ID_DENY_ASRSETUPDRV103_40" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_2" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_3" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_4" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_5" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_6" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_7" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_8" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_9" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_A" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_B" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_C" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_D" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_E" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_F" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_10" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_11" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_12" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_13" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_14" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_15" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_16" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_17" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_18" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_19" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_1A" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_1B" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_1C" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_1D" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_1E" />
+          <FileRuleRef RuleID="ID_DENY_ATILLK_1F" />
+          <FileRuleRef RuleID="ID_DENY_BANDAI_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BANDAI_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_3" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_4" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_5" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_6" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_7" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_8" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_9" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_A" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_B" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_C" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_D" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_E" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_F" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_10" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_11" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_12" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_13" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_14" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_15" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_16" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_17" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_18" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_19" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1A" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1B" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1C" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1D" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1E" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_1F" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_20" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_21" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_22" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_23" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_24" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_25" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_26" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_27" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_28" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_29" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2A" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2B" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2C" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2D" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2E" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_2F" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_30" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_31" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_32" />
+          <FileRuleRef RuleID="ID_DENY_IOBITUNLOCKER_33" />
+          <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_CAPCOM_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_32_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_DBUTIL_64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDDRV64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_FIDPCIDRV64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_GLCKIO2_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_GMER_1" />
+          <FileRuleRef RuleID="ID_DENY_GMER_2" />
+          <FileRuleRef RuleID="ID_DENY_GMER_3" />
+          <FileRuleRef RuleID="ID_DENY_GMER_4" />
+          <FileRuleRef RuleID="ID_DENY_GMER_5" />
+          <FileRuleRef RuleID="ID_DENY_GMER_6" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_WINFLASH64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_3" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_4" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_5" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_6" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_7" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_8" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_9" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_A" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_B" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_C" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_11" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_12" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_13" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_14" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_15" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_16" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_17" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_18" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_19" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1A" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1B" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1C" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1D" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1E" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_1F" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_20" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_21" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_22" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_23" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_24" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_25" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_26" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_27" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_28" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_29" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2A" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2B" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2C" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2D" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2E" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_2F" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_30" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_31" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_32" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_33" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_34" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_35" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_36" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_37" />
+          <FileRuleRef RuleID="ID_DENY_AMIFLDRV_38" />
+          <FileRuleRef RuleID="ID_DENY_ASIO_1"/>
+          <FileRuleRef RuleID="ID_DENY_ASIO_2"/>
+          <FileRuleRef RuleID="ID_DENY_ASIO_3"/>
+          <FileRuleRef RuleID="ID_DENY_ASIO_4"/>
+          <FileRuleRef RuleID="ID_DENY_ASIO_5"/>
+          <FileRuleRef RuleID="ID_DENY_ASIO_6"/>
+          <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_ASUPIO64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_22" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_23" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_24" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_25" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_26" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_27" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_28" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_29" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_2A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_2B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_2C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_2D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_2E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_2F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_30" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_31" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_32" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_33" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_34" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_35" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_36" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_37" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_38" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_39" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_3A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_3B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_3C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_3D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_3E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_3F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_40" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_41" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_42" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_43" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_44" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_45" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_46" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_47" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_48" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_49" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_4A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_4B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_4C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_4D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_4E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_4F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_50" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_51" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_52" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_53" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_54" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_55" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_56" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_57" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_58" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_59" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_5A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_5B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_5C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_5D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_5E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_5F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_60" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_61" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_62" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_63" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_64" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_65" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_66" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_67" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_68" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_69" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_6A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_6B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_6C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_6D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_6E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_6F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_70" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_71" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_72" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_73" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_74" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_75" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_76" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_77" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_78" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_79" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_7A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_7B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_7C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_7D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_7E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_7F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_80" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_81" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_82" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_83" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_84" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_85" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_86" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_87" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_88" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_89" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_8A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_8B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_8C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_8D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_8E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_8F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_90" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_91" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_92" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_93" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_94" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_95" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_96" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_97" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_98" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_99" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_9A" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_9B" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_9C" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_9D" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_9E" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_9F" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A0" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A1" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A2" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A3" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A4" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A5" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A6" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A7" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A8" />
+          <FileRuleRef RuleID="ID_DENY_BEDAISY_A9" />
+          <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BSFLASH64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1_1" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256_1" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA1_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_BSHWMIO64_SHA256_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_08" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_09" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_10" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_11" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_12" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_13" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_14" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_15" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_16" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_17" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_18" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_19" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_1A" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_1B" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_1C" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_1D" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_1E" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_1F" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_20" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_21" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_22" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO_23" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_1" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_2" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_3" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_4" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_5" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_6" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_8" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_9" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_10"/>
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_11" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_12" />
+          <FileRuleRef RuleID="ID_DENY_DHKERNEL_13" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_12" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_13" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_14" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_15" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_16" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_17" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_18" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_19" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_1A" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_1B" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_1C" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_1D" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_1E" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_1F" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_20" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_21" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_22" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_23" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_24" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_25" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_26" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_27" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_28" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_29" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_2A" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_2B" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_2C" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_2D" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_2E" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_2F" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_30" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_31" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_32" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_33" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_34" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_35" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_36" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_37" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_38" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_39" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_3A" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_3B" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_42" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_43" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_44" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_45" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_46" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_47" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_48" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_49" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_4A" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_4B" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_4C" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_4D" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_4E" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_4F" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_50" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_51" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_52" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_53" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_54" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_55" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_56" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_57" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_58" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_59" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_5A" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_5B" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_5C" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_5D" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_5E" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_5F" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_60" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_61" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_62" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_63" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_64" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_65" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_66" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_67" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_68" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_69" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_6A" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_6B" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_6C" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_6D" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_6E" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_6F" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_70" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_71" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_72" />
+          <FileRuleRef RuleID="ID_DENY_DIRECTIO_73" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_1" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_2" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_3" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_4" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_5" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_6" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_7" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_8" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_9" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_A" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_B" />
+          <FileRuleRef RuleID="ID_DENY_ECHO_C" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_1" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_2" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_3" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_4" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_5" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_6" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_7" />
+          <FileRuleRef RuleID="ID_DENY_EIO64_8" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_1" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_2" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_3" />
+          <FileRuleRef RuleID="ID_DENY_GVCIDRV_4" />
+          <FileRuleRef RuleID="ID_DENY_HW_22" />
+          <FileRuleRef RuleID="ID_DENY_HW_23" />
+          <FileRuleRef RuleID="ID_DENY_HW_24" />
+          <FileRuleRef RuleID="ID_DENY_HW_25" />
+          <FileRuleRef RuleID="ID_DENY_HWRWDRV_2" />
+          <FileRuleRef RuleID="ID_DENY_HWRWDRV_3" />
+          <FileRuleRef RuleID="ID_DENY_HWRWDRV_4" />
+          <FileRuleRef RuleID="ID_DENY_HWRWDRV_5" />
+          <FileRuleRef RuleID="ID_DENY_HWRWDRV_6" />
+          <FileRuleRef RuleID="ID_DENY_HWRWDRV_7" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_11" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_12" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_13" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_14" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_15" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_16" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_17" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_18" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_19" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_1A" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_1B" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_1C" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_1D" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_1E" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_1F" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_20" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_21" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_22" />
+          <FileRuleRef RuleID="ID_DENY_INPOUTX_23" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4" />
+          <FileRuleRef RuleID="ID_DENY_IREC_5" />
+          <FileRuleRef RuleID="ID_DENY_IREC_6" />
+          <FileRuleRef RuleID="ID_DENY_IREC_7" />
+          <FileRuleRef RuleID="ID_DENY_IREC_8" />
+          <FileRuleRef RuleID="ID_DENY_IREC_9" />
+          <FileRuleRef RuleID="ID_DENY_IREC_A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_10" />
+          <FileRuleRef RuleID="ID_DENY_IREC_11" />
+          <FileRuleRef RuleID="ID_DENY_IREC_12" />
+          <FileRuleRef RuleID="ID_DENY_IREC_13" />
+          <FileRuleRef RuleID="ID_DENY_IREC_14" />
+          <FileRuleRef RuleID="ID_DENY_IREC_15" />
+          <FileRuleRef RuleID="ID_DENY_IREC_16" />
+          <FileRuleRef RuleID="ID_DENY_IREC_17" />
+          <FileRuleRef RuleID="ID_DENY_IREC_18" />
+          <FileRuleRef RuleID="ID_DENY_IREC_19" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_1F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_20" />
+          <FileRuleRef RuleID="ID_DENY_IREC_21" />
+          <FileRuleRef RuleID="ID_DENY_IREC_22" />
+          <FileRuleRef RuleID="ID_DENY_IREC_23" />
+          <FileRuleRef RuleID="ID_DENY_IREC_24" />
+          <FileRuleRef RuleID="ID_DENY_IREC_25" />
+          <FileRuleRef RuleID="ID_DENY_IREC_26" />
+          <FileRuleRef RuleID="ID_DENY_IREC_27" />
+          <FileRuleRef RuleID="ID_DENY_IREC_28" />
+          <FileRuleRef RuleID="ID_DENY_IREC_29" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_2F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_30" />
+          <FileRuleRef RuleID="ID_DENY_IREC_31" />
+          <FileRuleRef RuleID="ID_DENY_IREC_32" />
+          <FileRuleRef RuleID="ID_DENY_IREC_33" />
+          <FileRuleRef RuleID="ID_DENY_IREC_34" />
+          <FileRuleRef RuleID="ID_DENY_IREC_35" />
+          <FileRuleRef RuleID="ID_DENY_IREC_36" />
+          <FileRuleRef RuleID="ID_DENY_IREC_37" />
+          <FileRuleRef RuleID="ID_DENY_IREC_38" />
+          <FileRuleRef RuleID="ID_DENY_IREC_39" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_3F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_40" />
+          <FileRuleRef RuleID="ID_DENY_IREC_41" />
+          <FileRuleRef RuleID="ID_DENY_IREC_42" />
+          <FileRuleRef RuleID="ID_DENY_IREC_43" />
+          <FileRuleRef RuleID="ID_DENY_IREC_44" />
+          <FileRuleRef RuleID="ID_DENY_IREC_45" />
+          <FileRuleRef RuleID="ID_DENY_IREC_46" />
+          <FileRuleRef RuleID="ID_DENY_IREC_47" />
+          <FileRuleRef RuleID="ID_DENY_IREC_48" />
+          <FileRuleRef RuleID="ID_DENY_IREC_49" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4A" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4B" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4C" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4D" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4E" />
+          <FileRuleRef RuleID="ID_DENY_IREC_4F" />
+          <FileRuleRef RuleID="ID_DENY_IREC_50" />
+          <FileRuleRef RuleID="ID_DENY_IREC_51" />
+          <FileRuleRef RuleID="ID_DENY_IREC_52" />
+          <FileRuleRef RuleID="ID_DENY_IREC_53" />
+          <FileRuleRef RuleID="ID_DENY_IREC_54" />
+          <FileRuleRef RuleID="ID_DENY_KLMD" />
+          <FileRuleRef RuleID="ID_DENY_LGCORETEMP_1" />
+          <FileRuleRef RuleID="ID_DENY_LGCORETEMP_2" />
+          <FileRuleRef RuleID="ID_DENY_LGCORETEMP_3" />
+          <FileRuleRef RuleID="ID_DENY_LGCORETEMP_4" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_2" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_3" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_4" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_5" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_6" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_7" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_8" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_9" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_A" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_B" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_C" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_D" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_E" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_F" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_10" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_11" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_12" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_13" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_14" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_15" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_16" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_17" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_18" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_19" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1A" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1B" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1C" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_11" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_12" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_13" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_14" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_15" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_16" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_17" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_18" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_19" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_1A" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_1B" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_1C" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_1D" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_1E" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_1F" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_20" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_21" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT3_22" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_1" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_2" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_3" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_4" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_5" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_6" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_7" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTECT_8" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_1" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_2" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_3" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTNAP_4" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_1" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_2" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_3" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_4" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_5" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_6" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_7" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROTRG_8" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_1" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_2" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_3" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_4" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_5" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_6" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_7" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_8" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_9" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_10" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_11" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_12" />
+          <FileRuleRef RuleID="ID_DENY_MSR_1" />
+          <FileRuleRef RuleID="ID_DENY_MSR_2" />
+          <FileRuleRef RuleID="ID_DENY_MSR_3" />
+          <FileRuleRef RuleID="ID_DENY_MSR_4" />
+          <FileRuleRef RuleID="ID_DENY_MSR_5" />
+          <FileRuleRef RuleID="ID_DENY_MSR_6" />
+          <FileRuleRef RuleID="ID_DENY_MSR_7" />
+          <FileRuleRef RuleID="ID_DENY_MSR_8" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_6" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_7" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_8" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_9" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_C" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_D" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_E" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_F" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_10" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_11" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_12" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_13" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_14" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_15" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_16" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_17" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_18" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_19" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1C" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1D" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1E" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_1F" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_20" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_21" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_22" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_23" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_24" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_25" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_26" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_27" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_28" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_29" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2C" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2D" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2E" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_2F" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_30" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_31" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_32" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_33" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_34" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_35" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_36" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_37" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_38" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_39" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3C" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3D" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3E" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_3F" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_40" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_41" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_42" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_43" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_44" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_45" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_46" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_47" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_48" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_49" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4C" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4D" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4E" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_4F" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_50" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_51" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_52" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_53" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_54" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_55" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_56" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_57" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_58" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_59" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5C" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5D" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5E" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_5F" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_60" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_61" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_62" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_63" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_64" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_65" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_66" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_67" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_68" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_69" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_6A" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_6B" />
+          <FileRuleRef RuleID="ID_DENY_NVFLASH_6C" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_1" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_2" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_3" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_4" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_5" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_6" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_7" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_8" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_9" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_10" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_11" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_12" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_13" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_14" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_15" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_16" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_17" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_18" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_19" />
+          <FileRuleRef RuleID="ID_DENY_NVOCLOCK_20" />
+          <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_1" />
+          <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_2" />
+          <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_3" />
+          <FileRuleRef RuleID="ID_DENY_OTIPCIBUS_4" />
+          <FileRuleRef RuleID="ID_DENY_PCHUNTER_3" />
+          <FileRuleRef RuleID="ID_DENY_PCHUNTER_4" />
+          <FileRuleRef RuleID="ID_DENY_PCHUNTER_5" />
+          <FileRuleRef RuleID="ID_DENY_PCHUNTER_6" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_PIDDRV64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_PHYDMACC_1" />
+          <FileRuleRef RuleID="ID_DENY_PHYDMACC_2" />
+          <FileRuleRef RuleID="ID_DENY_PHYDMACC_3" />
+          <FileRuleRef RuleID="ID_DENY_PHYDMACC_4" />
+          <FileRuleRef RuleID="ID_DENY_PHYDMACC_5" />
+          <FileRuleRef RuleID="ID_DENY_PHYDMACC_6" />
+          <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_PHYMEMX64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_0" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_1" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_2" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_3" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_4" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_5" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_6" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_7" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_8" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_9" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_A" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_B" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_C" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_D" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_E" />
+          <FileRuleRef RuleID="ID_DENY_QMBSEC_F" />
+          <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_SEMAV6MSR64_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_WINRING0_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_WINRING0_SHA256" />
+          <FileRuleRef RuleID="ID_DENY_WINRING0_SHA1_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_WINRING0_SHA256_PAGE" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_1" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_2" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_3" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_4" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_5" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_6" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_7" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_8" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_9" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_10" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_11" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_12" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_13" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_14" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_15" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_16" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_17" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_18" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_19" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_20" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_21" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_22" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_23" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_24" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_25" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_26" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_27" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_28" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_29" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_30" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_31" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_32" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_33" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_34" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_35" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_36" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_37" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_38" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_39" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_40" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_41" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_42" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_43" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_44" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_45" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_46" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_47" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_48" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_49" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_50" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_51" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_52" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_53" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_54" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_55" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_56" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_57" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_58" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_59" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_60" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_61" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_62" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_63" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_64" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_65" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_66" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_67" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_68" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_69" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_70" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_71" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA1_72" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_1" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_2" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_3" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_4" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_5" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_6" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_7" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_8" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_9" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_10" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_11" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_12" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_13" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_14" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_15" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_16" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_17" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_18" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_19" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_20" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_21" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_22" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_23" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_24" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_25" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_26" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_27" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_28" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_29" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_30" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_31" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_32" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_33" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_34" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_35" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_36" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_37" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_38" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_39" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_40" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_41" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_42" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_43" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_44" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_45" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_46" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_47" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_48" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_49" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_50" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_51" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_52" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_53" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_54" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_55" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_56" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_57" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_58" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_59" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_60" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_61" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_62" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_63" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_64" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_65" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_66" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_67" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_68" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_69" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_70" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_71" />
+          <FileRuleRef RuleID="ID_DENY_RETLIFTEN_SHA256_72" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_29" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_2A" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_2B" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_2C" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_2D" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_2E" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_2F" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_30" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_31" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_32" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_33" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_34" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_35" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_36" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_37" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_38" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_39" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_3A" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_3B" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_3C" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_3D" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_3E" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_3F" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_40" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_41" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_42" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_43" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_44" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_45" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_46" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_47" />
+          <FileRuleRef RuleID="ID_DENY_RTCORE_48" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_2" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_3" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_4" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_5" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_6" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_7" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_8" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_9" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_A" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_B" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_C" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_D" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_E" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_F" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_10" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_11" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_12" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_13" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_14" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_15" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_16" />
+          <FileRuleRef RuleID="ID_DENY_SUPERBMC_17" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_1" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_2" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_3" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_4" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_5" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_6" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_7" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_8" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_9" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_A" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_B" />
+          <FileRuleRef RuleID="ID_DENY_SYSDRV3S_C" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_1" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_2" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_3" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_4" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_5" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_6" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_7" />
+          <FileRuleRef RuleID="ID_DENY_SYSINFO_8" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_1" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_2" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_3" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_4" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_5" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_6" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_7" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_8" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_9" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_10" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_11" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_12" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_13" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_14" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_15" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_16" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_17" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_18" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_19" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_20" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_21" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_22" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_23" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_24" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_25" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_26" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_27" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_28" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_29" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_30" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_31" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_32" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_33" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_34" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_35" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_36" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_37" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_38" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_39" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_40" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_41" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_42" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_43" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_44" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_45" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_46" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_47" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_48" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_49" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_50" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_51" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_52" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_53" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_54" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_55" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_56" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_57" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_58" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_59" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_60" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_61" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_62" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_63" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_64" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_65" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_66" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_67" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_68" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_69" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_70" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_71" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_72" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_73" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_74" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_75" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_76" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_77" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_78" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_79" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_80" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_81" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_82" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_83" />
+          <FileRuleRef RuleID="ID_DENY_WINIO_84" />
+          <FileRuleRef RuleID="ID_DENY_PROCESSHACKER" />
+          <FileRuleRef RuleID="ID_DENY_AMP" />
+          <FileRuleRef RuleID="ID_DENY_ASMMAP" />
+          <FileRuleRef RuleID="ID_DENY_ASMMAP_64" />
+          <FileRuleRef RuleID="ID_DENY_DBK_32" />
+          <FileRuleRef RuleID="ID_DENY_DBK_64" />
+          <FileRuleRef RuleID="ID_DENY_GDRV" />
+          <FileRuleRef RuleID="ID_DENY_PCHUNTER_1" />
+          <FileRuleRef RuleID="ID_DENY_PCHUNTER_2" />
+          <FileRuleRef RuleID="ID_DENY_PHYMEMX_64" />
         </FileRulesRef>
       </ProductSigners>
     </SigningScenario>
@@ -3217,7 +3714,7 @@ To check that the policy was successfully applied on your computer:
     </Setting>
     <Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
       <Value>
-        <String>10.0.25880.0</String>
+        <String>10.0.25965.0</String>
       </Value>
     </Setting>
   </Settings>
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
index 53788ab824..729ecd07ee 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md
@@ -1,40 +1,71 @@
 ---
-title: Managing CI Policies and Tokens with CiTool
-description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
-ms.topic: how-to
-ms.date: 04/05/2023
+title: Managing CI policies and tokens with CiTool
+description: Learn how to use policy commands, token commands, and miscellaneous commands in CiTool
+ms.topic: reference
+ms.date: 10/02/2023
+appliesto:
+- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
 
 # CiTool technical reference
 
-CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins.  CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CiTool to update and manage policies.  CiTool is currently included as part of the Windows image in Windows 11 version 22H2.
+CiTool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. You can use this tool to manage Windows Defender Application Control policies and CI tokens. This article describes how to use CiTool to update and manage policies. It's currently included as part of the Windows image in Windows 11, version 22H2.
 
-## Policy Commands
+## Policy commands
 
 | Command | Description | Alias |
 |--------|---------|---------|
-| --update-policy `</Path/To/Policy/File>` | Add or update a policy on the current system | -up |
-| --remove-policy `<PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system | -rp |
-| --list-policies | Dump information about all policies on the system, whether they're active or not | -lp |
+| `--update-policy </Path/To/Policy/File>` | Add or update a policy on the current system. | `-up` |
+| `--remove-policy <PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system. | `-rp` |
+| `--list-policies` | Dump information about all policies on the system, whether they're active or not. | `-lp` |
 
-## Token Commands
+## Token commands
 
 | Command | Description | Alias |
 |--------|---------|---------|
-| --add-token `<Path/To/Token/File>` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at |
-| --remove-token `<ID>` | Remove a Token indicated by ID from the system. | -rt |
-| --list-tokens | Dump information about all tokens on the system | -lt |
+| `--add-token <Path/To/Token/File> <--token-id ID>` | Deploy a token onto the current system, with an optional specific ID. | `-at` |
+| `--remove-token <ID>` | Remove a token indicated by ID from the system. | `-rt` |
+| `--list-tokens` | Dump information about all tokens on the system. | `-lt` |
 
 > [!NOTE]
-> Regarding `--add-token`, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
+> Regarding `--add-token`, if `<ID>` is specified, a pre-existing token with `<ID>` shouldn't exist.
 
-## Miscellaneous Commands
+## Miscellaneous commands
 
 | Command | Description | Alias |
 |--------|---------|---------|
-| --device-id | Dump the Code Integrity Device ID | -id |
-| --refresh | Attempt to Refresh WDAC Policies | -r |
-| --help | Display the tool's help menu | -h |
+| `--device-id` | Dump the code integrity device ID. | `-id` |
+| `--refresh` | Attempt to refresh WDAC policies. | `-r` |
+| `--help` | Display the tool's help menu. | `-h` |
+
+## Output attributes and descriptions
+
+### List policies (`--list-policies`)
+
+```output
+    Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
+    Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
+    Friendly Name: Microsoft Windows Driver Policy
+    Version: 2814751463178240
+    Platform Policy: true
+    Policy is Signed: true
+    Has File on Disk: false
+    Is Currently Enforced: true
+    Is Authorized: true
+    Status: 0
+```
+
+| Attribute | Description | Example value |
+|--------|---------|---------|
+| Policy ID | Lists the ID of the policy. | `d2bda982-ccf6-4344-ac5b-0b44427b6816` |
+| Base Policy ID | Lists the ID of the base policy. | `d2bda982-ccf6-4344-ac5b-0b44427b6816` |
+| Friendly Name | Value listed in `<Setting Provider="PolicyInfo" Key="Information" ValueName="Name">` | `Microsoft Windows Driver Policy` |
+| Version | Version of the policy listed in `<VersionEx>` | `2814751463178240` |
+| Platform Policy | Indicates whether the policy is provided by Microsoft, for example in the vulnerable driver blocklist policy. | `true` |
+| Policy is Signed | Indicates whether the policy has a valid signature. | `true` |
+| Has File on Disk | Indicates whether the policy file is currently on the disk. | `false` |
+| Is Currently Enforced | Indicates whether the policy file is active. | `true` |
+| Is Authorized | If the policy requires a token to be activated, this value is the state of authorization for the token. If the policy doesn't require a token, this value matches the value for the **Is Currently Enforced** property. | `true` |
 
 ## Examples
 
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index 7ee7a13013..22e5196913 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -5,7 +5,8 @@ ms.localizationpriority: medium
 ms.collection:
 - highpri
 - tier3
-ms.date: 04/06/2023
+- must-keep
+ms.date: 08/30/2023
 ms.topic: article
 ---
 
@@ -32,9 +33,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
 
 ## WDAC and Smart App Control
 
-Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
 
-Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect.
 
 | Value | Description |
 |-------|-------------|
@@ -47,7 +48,7 @@ Smart App Control is only available on clean installation of Windows 11 version
 
 ### Smart App Control Enforced Blocks
 
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
 
 - Infdefaultinstall.exe
 - Microsoft.Build.dll
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
index 93ffec5801..5b544490b0 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -46,15 +46,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
 
 |Name|Supported versions|Description|Options|
 |-----------|------------------|-----------|-------|
-|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
-|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise or Pro or Education|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
+|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Education, 1809 or higher<p>Windows 11 Enterprise and Education|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
 ## Application Guard support dialog settings
 
 These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index eeac8ba0d1..ac710efb7a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -27,7 +27,8 @@ Standalone mode is applicable for:
 
 - Windows 10 Enterprise edition, version 1709 and later
 - Windows 10 Pro edition, version 1803 and later
-- Windows 11 and later
+- Windows 10 Education edition, version 1809 and later
+- Windows 11 Enterprise, Education, or Pro editions
 
 ## Enterprise-managed mode
 
@@ -36,7 +37,8 @@ You and your security department can define your corporate boundaries by explici
 Enterprise-managed mode is applicable for:
 
 - Windows 10 Enterprise edition, version 1709 and later
-- Windows 11 and later
+- Windows 10 Education edition, version 1809 and later
+- Windows 11 Enterprise or Education editions
 
 The following diagram shows the flow between the host PC and the isolated container.
 
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
index 190662392c..e27e886eea 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -34,6 +34,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
 
 | Software | Description |
 |--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later <br/> Windows 10 Professional for Workstations edition, version 1809 or later <br/> Windows 10 Professional Education edition, version 1809 or later <br/> Windows 10 Education edition, version 1809 or later <br/> Windows 11 Education, Enterprise, and Professional editions |
+| Operating system | Windows 10 Enterprise or Education editions, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later (only [standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported)  <br/> Windows 11 Education or Enterprise editions <br/> Windows 11 Professional edition (only [Standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported) |
 | Browser | Microsoft Edge |
 | Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
index 02bb837f09..928d31e27b 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
@@ -47,10 +47,11 @@ Windows Sandbox has the following properties:
 2. Enable virtualization on the machine.
 
    - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
-   - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
+   - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host:
 
      ```powershell
      Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
+     Update-VMVersion -VMName <VMName>
      ```
 
 3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md
index 4a758c6aa6..b31f712e0f 100644
--- a/windows/security/cloud-security/index.md
+++ b/windows/security/cloud-security/index.md
@@ -2,7 +2,7 @@
 title: Windows and cloud security
 description: Get an overview of cloud security features in Windows
 ms.date: 08/02/2023
-ms.topic: conceptual
+ms.topic: overview
 author: paolomatarazzo
 ms.author: paoloma
 ---
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-security/toc.yml
index 7c46b6e146..4132706858 100644
--- a/windows/security/cloud-security/toc.yml
+++ b/windows/security/cloud-security/toc.yml
@@ -1,7 +1,7 @@
 items:
 - name: Overview
   href: index.md
-- name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
+- name: Join Active Directory and Microsoft Entra ID with single sign-on (SSO) 🔗
   href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗
   href: /mem/intune/protect/security-baselines
@@ -15,4 +15,3 @@ items:
   href: /windows/deployment/windows-autopatch
 - name: Windows Autopilot 🔗
   href: /windows/deployment/windows-autopilot
-
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 84fafe0fa1..040348819b 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -65,7 +65,10 @@
         "dstrome",
         "v-dihans",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": [
         "Windows 10"
@@ -77,7 +80,6 @@
         "application-security//**/*.yml": "vinaypamnani-msft",
         "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
         "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther1974",
-        "application-security/application-control/user-account-control/*.md": "paolomatarazzo",
         "hardware-security/**/*.md": "vinaypamnani-msft",
         "hardware-security/**/*.yml": "vinaypamnani-msft",
         "information-protection/**/*.md": "vinaypamnani-msft",
@@ -98,8 +100,6 @@
         "application-security//**/*.yml": "vinpa",
         "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
         "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther",
-        "application-security/application-control/user-account-control/*.md": "paoloma",
-        "application-security/application-control/user-account-control/*.yml": "paoloma",
         "hardware-security//**/*.md": "vinpa",
         "hardware-security//**/*.yml": "vinpa",
         "information-protection/**/*.md": "vinpa",
@@ -224,18 +224,18 @@
         "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
       },
       "ms.collection": {
-        "application-security/application-control/windows-defender-application-control/**/*.md": "tier3",
+        "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
         "identity-protection/hello-for-business/*.md": "tier1",
         "information-protection/pluton/*.md": "tier1",
         "information-protection/tpm/*.md": "tier1",
         "threat-protection/auditing/*.md": "tier3",
         "operating-system-security/data-protection/bitlocker/*.md": "tier1",
         "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
-        "operating-system-security/network-security/windows-firewall/*.md": "tier3"
+        "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
       }
     },
     "template": [],
     "dest": "security",
     "markdownEngineName": "markdig"
   }
-}
\ No newline at end of file
+}
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 89a10d9e0f..17cc685415 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -268,24 +268,24 @@ Value | Description
 
 #### SecurityServicesConfigured
 
-This field indicates whether Windows Defender Credential Guard or memory integrity has been configured.
+This field indicates whether Credential Guard or memory integrity has been configured.
 
 Value | Description
 -|-
 **0.** | No services are configured.
-**1.** | If present, Windows Defender Credential Guard is configured.
+**1.** | If present, Credential Guard is configured.
 **2.** | If present, memory integrity is configured.
 **3.** | If present, System Guard Secure Launch is configured.
 **4.** | If present, SMM Firmware Measurement is configured.
 
 #### SecurityServicesRunning
 
-This field indicates whether Windows Defender Credential Guard or memory integrity is running.
+This field indicates whether Credential Guard or memory integrity is running.
 
 Value | Description
 -|-
 **0.** | No services running.
-**1.** | If present, Windows Defender Credential Guard is running.
+**1.** | If present, Credential Guard is running.
 **2.** | If present, memory integrity is running.
 **3.** | If present, System Guard Secure Launch is running.
 **4.** | If present, SMM Firmware Measurement is running.
diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
index 15c8a64f62..35ef8a1826 100644
--- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
@@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
 ![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/index.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
 
 > [!NOTE]
 > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
index b150c5e788..e75ebe55d6 100644
--- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@@ -57,7 +57,7 @@ For TPM-based virtual smart cards, the TPM protects the use and storage of the c
 
 Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
 
-The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Entra account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
index a4d4b53a79..afea335006 100644
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -104,7 +104,7 @@ The following table defines which Windows features require TPM support.
  Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
  Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
  Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
  UEFI Secure Boot | No | Yes | Yes
  TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
  Virtual Smart Card | Yes | Yes | Yes
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index efbf40ef92..0cc106f7cb 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -39,7 +39,7 @@ This content set contains:
   - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
   - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 
-[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+[!INCLUDE [access-control-aclsacl](../../../../includes/licensing/access-control-aclsacl.md)]
 
 ## Practical applications
 
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 101a50568b..1b41b86816 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,7 +2,7 @@
 ms.date: 08/03/2023
 title: Local Accounts
 description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
-ms.topic: conceptual
+ms.topic: concept-article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 32967fd8b7..5a6e9fd2c9 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,64 +1,93 @@
 ---
-ms.date: 08/17/2017
+ms.date: 08/31/2023
 title: Additional mitigations
-description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
-ms.topic: article
+description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
+ms.topic: reference
 ---
 
 # Additional mitigations
 
-Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
+Credential Guard offers mitigations against attacks on derived credentials, preventing the use of stolen credentials elsewhere. However, devices can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using stolen credentials prior to the enablement of Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
 
-## Restricting domain users to specific domain-joined devices
+## Additional security qualifications
 
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+All devices that meet baseline protections for hardware, firmware, and software can use Credential Guard.\
+Devices that meet more qualifications can provide added protections to further reduce the attack surface.
+
+The following table list qualifications for improved security. We recommend meeting the additional qualifications to strengthen the level of security that Credential Guard can provide.
+
+|Protection |Requirements|Security Benefits|
+|---|---|---|
+|**Secure Boot configuration and management**|- BIOS password or stronger authentication must be supported</br> - In the BIOS configuration, BIOS authentication must be set</br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, *Boot only from internal hard drive*) and boot device order, overriding `BOOTORDER` modification made by the operating system | - Prevent other operating systems from starting <br> -Prevent changes to the BIOS settings|
+|**Hardware Rooted Trust Platform Secure Boot**|- Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby</br> - Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification)|- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. </br> - HSTI provides security assurance for correctly secured silicon and platform|
+|**Firmware Update through Windows Update**|- Firmware must support field updates through Windows Update and UEFI encapsulation update|Helps ensure that firmware updates are fast, secure, and reliable.|
+|**Securing Boot Configuration and Management**|- Required BIOS capabilities: ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time </br> - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software|- Enterprises can choose to allow proprietary EFI drivers/applications to run </br> - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots|
+|**VBS enablement of No-Execute (NX) protection for UEFI runtime services**|- VBS enables NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet the following requirements: </br>&emsp; - Implement UEFI 2.6 `EFI_MEMORY_ATTRIBUTES_TABLE`. All UEFI runtime service memory (code and data) must be described by this table </br>&emsp; - PE sections must be page-aligned in memory (not required for in non-volatile storage). </br>&emsp; - The Memory Attributes Table needs to correctly mark code and data as `RO/NX` for configuration by the OS </br>&emsp; - All entries must include attributes `EFI_MEMORY_RO`, `EFI_MEMORY_XP`, or both. </br>&emsp; - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable </br> (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|- Vulnerabilities in UEFI runtime, if any, are blocked from compromising VBS (such as in functions like *UpdateCapsule* and *SetVariable*) </br> - Reduces the attack surface to VBS from system firmware.|
+|**Firmware support for SMM protection**|- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware<br>- Blocks additional security attacks against SMM|
+
+> [!IMPORTANT]
+>
+> Regarding **VBS enablement of NX protection for UEFI runtime services**:
+>
+> - It only applies to UEFI runtime service memory, and not UEFI boot service memory
+> - The protection is applied by VBS on OS page tables
+> - Don't use sections that are both writable and executable
+> - Don't attempt to directly modify executable system memory
+> - Don't use dynamic code
+
+## Restrict domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
 
 ### Kerberos armoring
 
-Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. 
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+To enable Kerberos armoring for restricting domain users to specific domain-joined devices:
 
-**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
 - Users need to be in domains that are running Windows Server 2012 R2 or higher
 - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
 
-### Protecting domain-joined device secrets
+### Protect domain-joined device secrets
 
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
 
 Domain-joined device certificate authentication has the following requirements:
+
 - Devices' accounts are in Windows Server 2012 domain functional level or higher.
 - All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
   - KDC EKU present
-  -    DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+  - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
 - Windows devices have the CA issuing the domain controller certificates in the enterprise store.
 - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
 
-#### Deploying domain-joined device certificates
+#### Deploy domain-joined device certificates
 
 To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
 
 For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
 
-**Creating a new certificate template**
+**Create a new certificate template**
 
-1.  From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
-2.  Right-click **Workstation Authentication**, and then click **Duplicate Template**.
-3.  Right-click the new template, and then click **Properties**.
-4.  On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
-5.  Click **Client Authentication**, and then click **Remove**.
-6.  Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+1.  From the Certificate Manager console, right-click **Certificate Templates > Manage**
+1.  Right-click **Workstation Authentication > Duplicate Template**
+1.  Right-click the new template, and then select **Properties**
+1.  On the **Extensions** tab, select **Application Policies > Edit**
+1.  Select **Client Authentication**, and then select **Remove**
+1.  Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values:
     -   Name: Kerberos Client Auth
     -   Object Identifier: 1.3.6.1.5.2.3.4
-7.  On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
-8.  Under **Issuance Policies**, click**High Assurance**.
-9.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+1.  On the **Extensions** tab, select **Issuance Policies > Edit**
+1.  Under **Issuance Policies**, select **High Assurance**
+1.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box
 
-Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
 
-**Enrolling devices in a certificate**
+**Enroll devices in a certificate**
 
 Run the following command:
+
 ```powershell
 CertReq -EnrollCredGuardCert MachineAuthentication
 ```
@@ -88,7 +117,7 @@ From a Windows PowerShell command prompt, run the following command:
 .\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"<name of issuance policy>" -groupOU:"<Name of OU to create>" -groupName:"<name of Universal security group to create>"
 ```
 
-### Restricting user sign-on
+### Restrict user sign-on
 
 So we now have completed the following:
 
@@ -101,25 +130,25 @@ Authentication policies have the following requirements:
 
 **Creating an authentication policy restricting users to the specific universal security group**
 
-1. Open Active Directory Administrative Center.
-1. Click **Authentication**, click **New**, and then click **Authentication Policy**.
-1. In the **Display name** box, enter a name for this authentication policy.
-1. Under the **Accounts** heading, click **Add**.
-1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
-1. Under the **User Sign On** heading, click the **Edit** button.
-1. Click **Add a condition**.
-1. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
-1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
-1. Click **OK** to close the **Edit Access Control Conditions** box.
-1. Click **OK** to create the authentication policy.
-1. Close Active Directory Administrative Center.
+1. Open Active Directory Administrative Center
+1. Select **Authentication > New > Authentication Policy**
+1. In the **Display name** box, enter a name for this authentication policy
+1. Under the **Accounts** heading, select **Add**
+1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then select **OK**
+1. Under the **User Sign On** heading, select the **Edit** button
+1. Select **Add a condition**
+1. In the **Edit Access Control Conditions** box, ensure that it reads **User > Group > Member of each > Value**, and then select **Add items**
+1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then select **OK**
+1. Select **OK** to close the **Edit Access Control Conditions** box
+1. Select **OK** to create the authentication policy
+1. Select Active Directory Administrative Center
 
 > [!NOTE]
 > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
 
-#### Discovering authentication failures due to authentication policies
+#### Discover authentication failures due to authentication policies
 
-To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then select **Enable Log**.
 
 To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)).
 
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
new file mode 100644
index 0000000000..21c87bfeeb
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -0,0 +1,413 @@
+---
+title: Configure Credential Guard 
+description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
+ms.date: 08/31/2023
+ms.collection:
+  - highpri
+  - tier2
+ms.topic: how-to
+---
+
+# Configure Credential Guard
+
+This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.
+
+## Default enablement
+
+Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
+
+If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings.
+
+While the default state of Credential Guard changed, system administrators can [enable](#enable-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article.
+
+> [!IMPORTANT]
+> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
+
+> [!NOTE]
+> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
+>
+> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard).
+
+## Enable Credential Guard
+
+Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised.
+
+To enable Credential Guard, you can use:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Configure Credential Guard with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Credential Guard | Select one of the options:<br>&emsp;- **Enabled with UEFI lock**<br>&emsp;- **Enabled without lock** |
+
+>[!IMPORTANT]
+> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Turn On Virtualization Based Security<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`<br>**Data type**: int<br>**Value**: `1`|
+| **Setting name**: Credential Guard Configuration<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`<br>**Data type**: int<br>**Value**:<br>&emsp;**Enabled with UEFI lock**: `1`<br>&emsp;**Enabled without lock**: `2`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Configure Credential Guard with group policy
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Enabled** and select one of the options listed under the **Credential Guard Configuration** dropdown:<br>&emsp;- **Enabled with UEFI lock**<br>&emsp;- **Enabled without lock**|
+
+>[!IMPORTANT]
+> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Configure Credential Guard with registry settings
+
+To configure devices using the registry, use the following settings:
+
+| Setting |
+|--|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard` <br>**Key name**: `EnableVirtualizationBasedSecurity`<br>**Type**: `REG_DWORD`<br>**Value**: `1` (to enable Virtualization Based Security)|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard` <br>**Key name**: `RequirePlatformSecurityFeatures`<br>**Type**: `REG_DWORD`<br>**Value**:<br>&emsp;`1` (to use Secure Boot)<br>&emsp;`3` (to use Secure Boot and DMA protection) |
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` <br>**Key name**: `LsaCfgFlags`<br>**Type**: `REG_DWORD`<br>**Value**:<br>&emsp;`1` (to enable Credential Guard with UEFI lock)<br>&emsp;`2` (to enable Credential Guard without lock)|
+
+Restart the device to apply the change.
+
+> [!TIP]
+> You can enable Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
+
+---
+
+### Verify if Credential Guard is enabled
+
+Checking Task Manager if `LsaIso.exe` is running isn't a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods:
+
+- System Information
+- PowerShell
+- Event Viewer
+
+#### System Information
+
+You can use *System Information* to determine whether Credential Guard is running on a device.
+
+1. Select **Start**, type `msinfo32.exe`, and then select **System Information**
+1. Select **System Summary**
+1. Confirm that **Credential Guard** is shown next to **Virtualization-based Security Services Running**
+
+#### PowerShell
+
+You can use PowerShell to determine whether Credential Guard is running on a device. From an elevated PowerShell session, use the following command:
+
+```powershell
+(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
+```
+
+The command generates the following output:  
+
+- **0**: Credential Guard is disabled (not running)
+- **1**: Credential Guard is enabled (running)
+
+#### Event viewer
+
+Perform regular reviews of the devices that have Credential Guard enabled, using security audit policies or WMI queries.\
+Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filter the event sources for *WinInit*:
+
+:::row:::
+  :::column span="1":::
+  **Event ID**
+  :::column-end:::
+  :::column span="3":::
+  **Description**
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  13 (Information)
+  :::column-end:::
+  :::column span="3":::
+  ```logging
+  Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+  ```
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  `14` (Information)
+  :::column-end:::
+  :::column span="3":::
+  ```logging
+  Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0**
+  ```
+  - The first variable: **0x1** or **0x2** means that Credential Guard is configured to run. **0x0** means that it's not configured to run.
+  - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
+    :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  `15` (Warning)
+  :::column-end:::
+  :::column span="3":::
+  ```logging
+  Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running;
+  continuing without Credential Guard.
+  ```
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  `16` (Warning)
+  :::column-end:::
+  :::column span="3":::
+  ```logging
+  Credential Guard (LsaIso.exe) failed to launch: [error code]
+  ```
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  `17`
+  :::column-end:::
+  :::column span="3":::
+  ```logging
+  Error reading Credential Guard (LsaIso.exe) UEFI configuration: [error code]
+  ```
+  :::column-end:::
+:::row-end:::
+
+The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
+
+:::row:::
+  :::column span="1":::
+  **Event ID**
+  :::column-end:::
+  :::column span="3":::
+  **Description**
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  51 (Information)
+  :::column-end:::
+  :::column span="3":::
+  ```logging
+  VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+  ```
+  :::column-end:::
+:::row-end:::
+
+If you're running with a TPM, the TPM PCR mask value is something other than 0.
+
+## Disable Credential Guard
+
+There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured:
+
+- Credential Guard running in a virtual machine can be [disabled by the host](#disable-credential-guard-for-a-virtual-machine)
+- If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock)
+- If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it:
+  - Microsoft Intune/MDM
+  - Group policy
+  - Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Disable Credential Guard with Intune
+
+If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting disables Credential Guard.
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Credential Guard | **Disabled** |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Credential Guard Configuration<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`<br>**Data type**: int<br>**Value**: `0`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Disable  Credential Guard with group policy
+
+If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting disables Credential Guard.
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Disable Credential Guard with registry settings
+
+If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys to disable it.
+
+| Setting |
+|-|
+| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` <br>**Key name**: `LsaCfgFlags`<br>**Type**: `REG_DWORD`<br>**Value**: `0`|
+| **Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard` <br>**Key name**: `LsaCfgFlags`<br>**Type**: `REG_DWORD`<br>**Value**: `0`|
+
+> [!NOTE]
+> Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0.
+
+Restart the device to apply the change.
+
+---
+
+For information on disabling Virtualization-based Security (VBS), see [disable Virtualization-based Security](#disable-virtualization-based-security).
+
+### Disable Credential Guard with UEFI lock
+
+If Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables.
+
+> [!NOTE]
+> This scenario requires physical presence at the machine to press a function key to accept the change.
+
+1. Follow the steps in [Disable Credential Guard](#disable-credential-guard)
+1. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
+
+   ```cmd
+   mountvol X: /s
+   copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+   bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+   bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+   mountvol X: /d
+   ```
+
+1. Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist.
+
+### Disable Credential Guard for a virtual machine
+
+From the host, you can disable Credential Guard for a virtual machine with the following command:
+
+```powershell
+Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
+```
+
+## Disable Virtualization-based Security
+
+If you disable Virtualization-based Security (VBS), you'll automatically disable Credential Guard and other features that rely on VBS.
+
+> [!IMPORTANT]
+> Other security features beside Credential Guard rely on VBS. Disabling VBS may have unintended side effects.
+
+Use one of the following options to disable VBS:
+
+- Microsoft Intune/MDM
+- Group policy
+- Registry
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+### Disable VBS with Intune
+
+If VBS is enabled via Intune and without UEFI Lock, disabling the same policy setting disables VBS.
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Enable Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| **Setting name**: Turn On Virtualization Based Security<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`<br>**Data type**: int<br>**Value**: `0`|
+
+Once the policy is applied, restart the device.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+### Disable  VBS with group policy
+
+Configure the policy used to enable VBS to **Disabled**.
+
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security** |Turn On Virtualization Based Security | **Disabled** |
+
+[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
+
+Once the policy is applied, restart the device
+
+#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+### Disable VBS with registry settings
+
+Delete the following registry keys:
+
+| Setting |
+|--|
+| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard` <br>Key name: `EnableVirtualizationBasedSecurity` |
+| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard` <br>Key name: `RequirePlatformSecurityFeatures`|
+
+> [!IMPORTANT]
+> If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery.
+
+Restart the device to apply the change.
+
+---
+
+If Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands:
+
+```cmd
+bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+bcdedit /set vsmlaunchtype off
+```
+
+## Next steps
+
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
+
+<!--links-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
+[INT-1]: /mem/intune/configuration/settings-catalog
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
new file mode 100644
index 0000000000..dbf52336f8
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -0,0 +1,222 @@
+---
+ms.date: 08/31/2023
+title: Considerations and known issues when using Credential Guard
+description: Considerations, recommendations and known issues when using Credential Guard.
+ms.topic: troubleshooting
+---
+
+# Considerations and known issues when using Credential Guard
+
+It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+
+## Wi-fi and VPN considerations
+
+When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+
+If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
+
+For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
+
+## Kerberos considerations
+
+When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
+Use constrained or resource-based Kerberos delegation instead.
+
+## Third party Security Support Providers considerations
+
+Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
+It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
+
+For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
+
+## Upgrade considerations
+
+As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
+
+Test scenarios required for operations in an organization before upgrading a device using Credential Guard.
+
+## Saved Windows credentials considerations
+
+*Credential Manager* allows you to store three types of credentials:
+
+- Windows credentials
+- Certificate-based credentials
+- Generic credentials
+
+Domain credentials that are stored in *Credential Manager* are protected with Credential Guard.
+
+Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network.
+
+The following considerations apply to the Credential Guard protections for Credential Manager:
+
+- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed*
+- Applications that extract Windows credentials fail
+- When credentials are backed up from a PC that has Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Credential Guard
+
+## TPM clearing considerations
+
+Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost.
+
+>[!WARNING]
+> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
+>
+> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data.
+
+As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
+
+>[!NOTE]
+> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup.
+
+### Windows credentials saved to Credential Manager
+
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+
+### Domain-joined device's automatically provisioned public key
+
+Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+
+Also if any access control checks including authentication policies require devices to have either the `KEY TRUST IDENTITY (S-1-18-4)` or `FRESH PUBLIC KEY IDENTITY (S-1-18-3)` well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
+
+### Breaking DPAPI on domain-joined devices
+
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
+
+>[!IMPORTANT]
+> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
+
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
+If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
+
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
+
+|Credential Type | Behavior
+|---|---|---|
+| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
+| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. |
+
+Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
+
+#### Impact of DPAPI failures on Windows Information Protection
+
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
+## Known issues
+
+Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled.
+
+This article describes known issues when Credential Guard is enabled.
+
+### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2  
+
+Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.  
+
+#### Affected devices
+
+Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+  
+All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.  
+
+> [!TIP]
+> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> If it's present, the device enables Credential Guard after the update.
+>
+> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
+
+#### Cause of the issue
+
+Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:
+
+- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
+- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
+- MS-CHAP (only SSO is blocked)
+- WDigest (only SSO is blocked)
+- NTLM v1 (only SSO is blocked)
+
+> [!NOTE]
+> Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
+
+#### How to confirm the issue
+
+MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs:
+
+:::row:::
+  :::column span="1":::
+  **Event ID (type)**
+  :::column-end:::
+  :::column span="3":::
+  **Description**
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  4013 (Warning)
+  :::column-end:::
+  :::column span="3":::
+    ```logging
+    <string
+      id="NTLMv1BlockedByCredGuard"
+      value="Attempt to use NTLMv1 failed.
+      Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID
+      of client process: %4%nName
+      of client process: %5%nLUID
+      of client process: %6%nUser identity
+      of client process: %7%nDomain name
+      of user identity of client process: %8%nMechanism OID: 9%n%n
+      This device doesn't support NTLMv1.
+    />
+    ```
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="1":::
+  4014 (Error)
+  :::column-end:::
+  :::column span="3":::
+    ```logging
+    <string
+      id="NTLMGetCredentialKeyBlockedByCredGuard"
+      value="Attempt to get credential key by call package blocked by Credential Guard.%n%n
+      Calling Process Name: %1%nService Host Tag: %2"
+    />
+    ```
+  :::column-end:::
+:::row-end:::
+
+#### How to fix the issue
+
+We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication.  
+
+For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
+
+> [!TIP]
+> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
+>
+> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.  
+
+### Issues with third-party applications
+
+The following issue affects MSCHAPv2:
+
+- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
+
+The following issue affects the Java GSS API. See the following Oracle bug database article:
+
+- [JDK-8161921: Credential Guard doesn't allow sharing of TGT with Java](https://bugs.java.com/bugdatabase/view_bug?bug_id=8161921)
+
+When Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements).
+
+#### Vendor support
+
+The following products and services don't support Credential Guard:
+
+- [Check Point Endpoint Security Client support for Microsoft Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+- [*VMware Workstation and Device/Credential Guard aren't compatible* error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
+- [ThinkPad support for Hypervisor-Protected Code Integrity and Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)
+- [Windows devices with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+
+>[!IMPORTANT]
+>This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Credential Guard on systems that run a specific version of Windows. Specific computer system models may be incompatible with Credential Guard.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
deleted file mode 100644
index d48686101c..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-ms.date: 01/06/2023
-title: Considerations when using Windows Defender Credential Guard
-description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard.
-ms.topic: article
----
-
-# Considerations when using Windows Defender Credential Guard
-
-It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
-
-## Wi-fi and VPN considerations
-
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\
-If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
-
-For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
-
-## Kerberos considerations
-
-When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
-Use constrained or resource-based Kerberos delegation instead.
-
-## Third party Security Support Providers considerations
-
-Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
-It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
-
-For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
-
-## Upgrade considerations
-
-As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
-
-Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
-
-## Saved Windows credentials protected
-
-Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials:
-
-- Windows credentials
-- Certificate-based credentials
-- Generic credentials
-
-Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network.
-
-The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-
-- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.*
-- Applications that extract Windows credentials fail
-- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials
-
-## Clearing TPM considerations
-
-Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost.
-
->[!WARNING]
-> Clearing the TPM results in loss of protected data for all features that use VBS to protect data.
->
-> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data.
-
-As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
-
->[!NOTE]
-> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup.
-
-### Windows credentials saved to Credential Manager
-
-Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
-
-### Domain-joined device's automatically provisioned public key
-
-Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-
-Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-
-Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
-
-### Breaking DPAPI on domain-joined devices
-
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
-
->[!IMPORTANT]
-> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
-
-Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
-If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
-
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
-
-|Credential Type | Behavior
-|---|---|---|
-| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
-| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. |
-
-Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
-
-#### Impact of DPAPI failures on Windows Information Protection
-
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
-
-**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
deleted file mode 100644
index f6fafc39c0..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-ms.date: 08/17/2017
-title: How Windows Defender Credential Guard works
-description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
-ms.topic: conceptual
----
-
-# How Windows Defender Credential Guard works
-
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
-
-For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-
-When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
-
-Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
-
-![Windows Defender Credential Guard overview.](images/credguard.png)  
-
-## See also
-
-**Related videos**
-
-[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
deleted file mode 100644
index f05c26620f..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-ms.date: 11/28/2022
-title: Windows Defender Credential Guard - Known issues
-description: Windows Defender Credential Guard - Known issues in Windows Enterprise
-ms.topic: article
----
-# Windows Defender Credential Guard: Known issues
-
-Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
-
-## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2**  
-
-### Symptoms of the issue:  
-Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running.  
-
-### Affected devices:  
-Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). 
-  
-\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement.  
-
-> [!TIP]
-> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading:  
-> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard).
-
-### Why this is happening:  
-Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include:
-  - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
-  - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
-  - MS-CHAP (only SSO is blocked)
-  - WDigest (only SSO is blocked)
-  - NTLM v1 (only SSO is blocked)  
-  
-Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.  
-
-> [!NOTE]
-> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error:  
-  >  
-  > **Event ID 4013** (Warning)  
-  > ```
-  > <string  
-  >   id="NTLMv1BlockedByCredGuard"  
-  >   value="Attempt to use NTLMv1 failed.
-  >   Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826."  
-  > />  
-  >  ```
-  >  
-  > **Event ID 4014** (Error)  
-  > ```
-  > <string  
-  >    id="NTLMGetCredentialKeyBlockedByCredGuard"  
-  >    value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2"  
-  > />  
-  > ```
-
-### Options to fix the issue:  
-
-Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication.  
-
-For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring.  
-
-> [!TIP]
-> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM.  
-
-## Known issues involving third-party applications
-
-The following issue affects MSCHAPv2:
-
-- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
-
-The following issue affects the Java GSS API. See the following Oracle bug database article:
-
-- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-
-When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
-
-The following issue affects Cisco AnyConnect Secure Mobility Client:
-
-- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)
-
-The following issue affects McAfee Application and Change Control (MACC):
-
-- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) <sup>[Note 1](#bkmk_note1)</sup>
-
-The following issue affects Citrix applications:
-
-- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[Note 1](#bkmk_note1)</sup>
-
-<a name="bkmk_note1"></a>
-
-> [!NOTE]
-> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
->
-> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes).
-
-## Vendor support
-
-For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
-
-Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions:
-
-- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009)
-
-- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
-
-- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
-
-- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)
-
-- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
-
-This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
-
-Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
-  
-## Previous known issues that have been fixed
-  
-The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
-
-- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
-
-    ```console
-    Task Scheduler failed to log on '\Test'.
-    Failure occurred in 'LogonUserExEx'.
-    User Action: Ensure the credentials for the task are correctly specified.
-    Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
-    ```
-
-- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
-
-    ```console
-    Log Name: Microsoft-Windows-NTLM/Operational
-    Source: Microsoft-Windows-Security-Netlogon
-    Event ID: 8004
-    Task Category: Auditing NTLM
-    Level: Information
-    Description:
-    Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
-    Secure Channel name: <Secure Channel Name>
-    User name:
-    @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
-    Domain name: NULL
-    ```
-
-  - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
-  - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
-  - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
-
-The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
-
-- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
-
-    This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
-
-  - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
-  - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
deleted file mode 100644
index 086a008176..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ /dev/null
@@ -1,304 +0,0 @@
----
-title: Manage Windows Defender Credential Guard 
-description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry.
-ms.date: 11/23/2022
-ms.collection:
-  - highpri
-  - tier2
-ms.topic: article
----
-
-# Manage Windows Defender Credential Guard
-
-## Default Enablement
-
-Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.  
-  
-Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
-
-### Requirements for automatic enablement
-
-Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements:
-
-|Component|Requirement|
-|---|---|
-|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**|
-|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
-|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
-
-> [!NOTE]
-> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
-
-> [!NOTE]
-> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro).
-> 
-> To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard).
-
-## Enable Windows Defender Credential Guard
-
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
-The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
-
-> [!NOTE]
-> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
-
-### Enable Windows Defender Credential Guard by using Group Policy
-
-You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
-
-1. Select **Turn On Virtualization Based Security**, and then select the **Enabled** option.
-
-1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
-
-1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
-
-1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md).
-
-   :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting.":::
-
-1. Select **OK**, and then close the Group Policy Management Console.
-
-To enforce processing of the group policy, you can run `gpupdate /force`.
-
-### Enable Windows Defender Credential Guard by using Microsoft Intune
-
-1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
-
-1. Select **Configuration Profiles**.
-
-1. Select  **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
-
-   1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings.
-
-> [!NOTE]
-> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
-
-> [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
-
-### Enable Windows Defender Credential Guard by using the registry
-
-If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems.
-
-#### Add the virtualization-based security features
-
-Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped.
-
-If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
-To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-
-> [!NOTE]
-> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
-
-##### Add the virtualization-based security features by using Programs and Features
-
-1. Open the Programs and Features control panel.
-
-1. Select **Turn Windows feature on or off**.
-
-1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-
-1. Select the **Isolated User Mode** check box at the top level of the feature selection.
-
-1. Select **OK**.
-
-##### Add the virtualization-based security features to an offline image by using DISM
-
-1. Open an elevated command prompt.
-
-1. Add the Hyper-V Hypervisor by running the following command:
-
-   ```cmd
-   dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
-   ```
-
-1. Add the Isolated User Mode feature by running the following command:
-
-   ```cmd
-   dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
-   ```
-
-   > [!NOTE]
-   > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
-
-> [!TIP]
-> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-#### Enable virtualization-based security and Windows Defender Credential Guard
-
-1. Open Registry Editor.
-
-1. Enable virtualization-based security:
-
-   1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`.
-
-   1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
-
-   1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
-
-1. Enable Windows Defender Credential Guard:
-
-   1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`.
-
-   1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
-
-1. Close Registry Editor.
-
-> [!NOTE]
-> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
-
-### Review Windows Defender Credential Guard performance
-
-#### Is Windows Defender Credential Guard running?
-
-You can view System Information to check that Windows Defender Credential Guard is running on a PC.
-
-1. Select **Start**, type **msinfo32.exe**, and then select **System Information**.
-
-1. Select **System Summary**.
-
-1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
-
-   :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe).":::
-
-> [!NOTE]
-> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
-
-- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible.
-
-- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
-
-  - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
-
-  - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
-
-    - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
-
-    - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
-
-  - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard.
-
-  - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
-
-  - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
-
-- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0.
-
-- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
-
-  ```powershell
-  (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
-  ```
-
-  This command generates the following output:  
-
-  - **0**: Windows Defender Credential Guard is disabled (not running)
-
-  - **1**: Windows Defender Credential Guard is enabled (running)
-
-    > [!NOTE]  
-    > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
-
-## Disable Windows Defender Credential Guard
-
-Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
-
-If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
-
-If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
-
-Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys).
-
-Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine).
-
-For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security).
-
-### Disabling Windows Defender Credential Guard using Group Policy
-
-If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.
-
-1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled":
-
-   :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled.":::
-
-1. Restart the machine.
-
-### Disabling Windows Defender Credential Guard using Registry Keys
-
-If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
-
-1. Change the following registry settings to 0:
-
-   - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
-
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
-
-     > [!NOTE]
-     > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0.
-
-1. Restart the machine.
-
-### Disabling Windows Defender Credential Guard with UEFI Lock
-
-If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change.
-
-1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled".
-
-1. Change the following registry settings to 0:
-
-   - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags`
-
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags`
-
-1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
-
-   ```cmd
-   mountvol X: /s
-   copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
-   bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
-   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
-   bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
-   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
-   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
-   mountvol X: /d
-   ```
-
-1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine.
-
-### Disable Windows Defender Credential Guard for a virtual machine
-
-From the host, you can disable Windows Defender Credential Guard for a virtual machine:
-
-```powershell
-Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
-```
-
-## Disabling Virtualization-Based Security
-
-Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS.
-
-> [!IMPORTANT]
-> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects.
-
-1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled".
-
-1. Delete the following registry settings:
-
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity`
-
-   - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures`
-
-     > [!IMPORTANT]
-     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-
-1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above:
-
-     >
-     > ```cmd
-     > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-     > bcdedit /set vsmlaunchtype off
-     > ```
-
-1. Restart the PC.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
deleted file mode 100644
index 6719b3db77..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Windows Defender Credential Guard protection limits 
-description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
-ms.date: 08/17/2017
-ms.topic: article
----
-# Windows Defender Credential Guard protection limits
-
-Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
-
-- Software that manages credentials outside of Windows feature protection
-- Local accounts and Microsoft Accounts
-- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS.
-- Key loggers
-- Physical attacks
-- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
-- Third-party security packages
-- Digest and CredSSP credentials
-  - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- 
-- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
-- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
-- Windows logon cached password verifiers (commonly called "cached credentials")
-don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
-
-## See also
-
-**Deep Dive into Windows Defender Credential Guard: Related videos**
-
-[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322)
-> [!NOTE]
-> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
deleted file mode 100644
index e8e539e520..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Windows Defender Credential Guard requirements
-description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
-ms.date: 12/27/2021
-ms.topic: article
----
-
-# Windows Defender Credential Guard requirements
-
-For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
-
-## Hardware and software requirements
-
-To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
-
-- Support for Virtualization-based security (required)
-- Secure boot (required)
-- Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
-- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
-
-The Virtualization-based security requires:
-
-- 64-bit CPU
-- CPU virtualization extensions plus extended page tables
-- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
-
-### Windows Defender Credential Guard deployment in virtual machines
-
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-
-#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
-
-- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
-  - TPM is not a requirement, but we recommend that you implement TPM.
-
-For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/).
-
-For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](/windows/access-protection/remote-credential-guard#hardware-and-software-requirements).
-
-## Application requirements
-
-When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
-
-> [!WARNING]
-> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time.
-> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
-
-> [!NOTE]
-> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
-
-Applications will break if they require:
-
-- Kerberos DES encryption support
-- Kerberos unconstrained delegation
-- Extracting the Kerberos TGT
-- NTLMv1
-
-Applications will prompt and expose credentials to risk if they require:
-
-- Digest authentication
-- Credential delegation
-- MS-CHAPv2
-
-Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process.
-
-Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
-
-[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
-
-## Security considerations
-
-All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
-Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
-The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
->
-> If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations).
-
-### Baseline protections
-
-|Baseline Protections|Description|Security benefits
-|---|---|---|
-|Hardware: **64-bit CPU**        |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
-|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: </br> - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. </br></br> Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
-|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
-|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
-|Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
-
-### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
-
-|Protections for Improved Security|Description|
-|---|---|
-|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: </br> - VT-D or AMD Vi IOMMU </br> </br> **Security benefits**: </br> - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - BIOS password or stronger authentication must be supported. </br> - In the BIOS configuration, BIOS authentication must be set. </br> - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. </br> - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
-|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: </br> - Secure MOR, revision 2 implementation|
-
-### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
-
-|Protections for Improved Security|Description|Security Benefits|
-|---|---|---|
-|Firmware: **Hardware Rooted Trust Platform Secure Boot**|**Requirements**: </br> - Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby</br> - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification).|Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. </br> - HSTI provides additional security assurance for correctly secured silicon and platform.|
-|Firmware: **Firmware Update through Windows Update**|**Requirements**: </br> - Firmware must support field updates through Windows Update and UEFI encapsulation update.|Helps ensure that firmware updates are fast, secure, and reliable.|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: </br> - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. </br> - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.|- Enterprises can choose to allow proprietary EFI drivers/applications to run. </br> - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.|
-
-### 2017 Additional security qualifications starting with Windows 10, version 1703
-
-The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
-
-|Protections for Improved Security|Description|Security Benefits
-|---|---|---|
-|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**: </br> - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements: </br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. </br> - PE sections must be page-aligned in memory (not required for in non-volatile storage). </br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: </br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. </br> - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable. </br> (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) </br> - Reduces the attack surface to VBS from system firmware.|
-|Firmware: **Firmware support for SMM protection**|**Requirements**: </br> - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) </br> - Reduces the attack surface to VBS from system firmware. </br> - Blocks additional security attacks against SMM.|
-
-> [!IMPORTANT]
->
-> Regarding **VBS enablement of NX protection for UEFI runtime services**:
->
-> - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
->
-> - This protection is applied by VBS on OS page tables.
->
->   Please also note the following:
->
->   - Do not use sections that are both writable and executable
->
->   - Do not attempt to directly modify executable system memory
->
->   - Do not use dynamic code
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
deleted file mode 100644
index 519ec863c8..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Protect derived domain credentials with Windows Defender Credential Guard 
-description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.date: 11/22/2022
-ms.topic: article
-ms.collection: 
-  - highpri
-  - tier2
----
-
-# Protect derived domain credentials with Windows Defender Credential Guard
-
-Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
-
-By enabling Windows Defender Credential Guard, the following features and solutions are provided:
-
-- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
-- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
-- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
-
-> [!NOTE]
-> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
-
-## Related topics
-
-- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
-- [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382)
-- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11))
-- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10))
-- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
-- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode)
-- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel)
-- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert)
-- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert)
-- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin)
diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
new file mode 100644
index 0000000000..f69a8b0486
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -0,0 +1,42 @@
+---
+ms.date: 08/31/2023
+title: How Credential Guard works
+description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
+ms.topic: conceptual
+---
+
+# How Credential Guard works
+
+Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment.
+
+Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
+
+:::image type="content" source="images/credguard.png" alt-text="Diagram of the Credential Guard architecture.":::
+
+## Credential Guard protection limits
+
+Some ways to store credentials aren't protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS
+- Key loggers
+- Physical attacks
+- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization
+- Third-party security packages
+- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
+    > [!CAUTION]
+    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.
+- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well
+- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected
+- When Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials
+- When Credential Guard is enabled on a VM, it protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host
+- Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available
+
+## Next steps
+
+- Learn [how to configure Credential Guard](configure.md)
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png
deleted file mode 100644
index bfb042a49d..0000000000
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png and /dev/null differ
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp.png b/windows/security/identity-protection/credential-guard/images/credguard-gp.png
deleted file mode 100644
index ad34b6deb3..0000000000
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp.png and /dev/null differ
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png
deleted file mode 100644
index c9737e3236..0000000000
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and /dev/null differ
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
new file mode 100644
index 0000000000..710f148343
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -0,0 +1,101 @@
+---
+title: Credential Guard overview
+description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
+ms.date: 08/31/2023
+ms.topic: overview
+ms.collection: 
+  - highpri
+  - tier1
+---
+
+# Credential Guard overview
+
+Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.
+
+Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*.
+
+When enabled, Credential Guard provides the following benefits:
+
+- **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials
+- **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
+- **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS
+
+> [!NOTE]
+> While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures.
+
+> [!IMPORTANT]
+> Starting in Windows 11, version 22H2, VBS and Credential Guard are enabled by default on all devices that meet the system requirements.\
+> For information about known issues related to the default enablement of Credential Guard, see [Credential Guard: Known Issues](considerations-known-issues.md).
+
+## System requirements
+
+For Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements.
+
+Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats.
+
+### Hardware and software requirements
+
+Credential Guard requires the features:
+
+- Virtualization-based security (VBS)
+  >[!NOTE]
+  > VBS has different requirements to enable it on different hardware platforms. For more information, see [Virtualization-based Security requirements](/windows-hardware/design/device-experiences/oem-vbs)
+- [Secure Boot](../../operating-system-security/system-security/secure-the-windows-10-boot-process.md#secure-boot)
+
+While not required, the following features are recommended to provide additional protections:
+
+- Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware
+- UEFI lock, as it prevents attackers from disabling Credential Guard with a registry key change
+
+For detailed information on protections for improved security that are associated with hardware and firmware options, see [additional security qualifications](additional-mitigations.md#additional-security-qualifications).
+
+#### Credential Guard in virtual machines
+
+Credential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When Credential Guard is enabled on a VM, secrets are protected from attacks *inside* the VM. Credential Guard doesn't provide protection from privileged system attacks originating from the host.
+
+The requirements to run Credential Guard in Hyper-V virtual machines are:
+
+- The Hyper-V host must have an IOMMU
+- The Hyper-V virtual machine must be generation 2
+
+> [!NOTE]
+> Credential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on generation 2 VMs only.
+
+[!INCLUDE [credential-guard](../../../../includes/licensing/credential-guard.md)]
+
+## Application requirements
+
+When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*.
+
+Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
+
+> [!WARNING]
+> Enabling Credential Guard on domain controllers isn't recommended.
+> Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
+
+> [!NOTE]
+> Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
+
+Applications break if they require:
+
+- Kerberos DES encryption support
+- Kerberos unconstrained delegation
+- Extracting the Kerberos TGT
+- NTLMv1
+
+Applications prompt and expose credentials to risk if they require:
+
+- Digest authentication
+- Credential delegation
+- MS-CHAPv2
+
+Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
+
+Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.
+
+## Next steps
+
+- Learn [how Credential Guard works](how-it-works.md)
+- Learn [how to configure Credential Guard](configure.md)
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml
index 3661af7b0e..a4b737a9ec 100644
--- a/windows/security/identity-protection/credential-guard/toc.yml
+++ b/windows/security/identity-protection/credential-guard/toc.yml
@@ -1,17 +1,11 @@
 items:
-- name: Protect derived domain credentials with Credential Guard
-  href: credential-guard.md
+- name: Overview
+  href: index.md
 - name: How Credential Guard works
-  href: credential-guard-how-it-works.md
-- name: Requirements
-  href: credential-guard-requirements.md
-- name: Manage Credential Guard
-  href: credential-guard-manage.md
-- name: Credential Guard protection limits
-  href: credential-guard-protection-limits.md
-- name: Considerations when using Credential Guard
-  href: credential-guard-considerations.md
+  href: how-it-works.md
+- name: Configure Credential Guard
+  href: configure.md
 - name: Additional mitigations
   href: additional-mitigations.md
-- name: Known issues
-  href: credential-guard-known-issues.md
\ No newline at end of file
+- name: Considerations and known issues
+  href: considerations-known-issues.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 47f0d59394..e384f47efe 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,7 +1,7 @@
 ---
 title: Enterprise certificate pinning
 description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
-ms.topic: conceptual
+ms.topic: concept-article
 ms.date: 05/24/2023
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index cf9c8484b0..a99c25dc3c 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -30,7 +30,7 @@ The policy setting has three components:
 ## Configure unlock factors
 
 > [!CAUTION]
-> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock.
+> When the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock.
 
 The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index dc32004a43..58eac4892c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business cloud-only deployment
 description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 06/23/2021
+ms.date: 10/03/2023
 ms.topic: how-to
 ---
 # Cloud-only deployment
@@ -10,34 +10,34 @@ ms.topic: how-to
 
 ## Introduction
 
-When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, there's no additional configuration needed.
+When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed.
 
-You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
+You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment.
 
 > [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
 
 ## Prerequisites
 
-Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
+Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
 
-Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command:
 
-Check and view this setting with the following MSOnline PowerShell command:
+```powershell
+Connect-MgGraph
+$DomainId = "<your federated domain name>"
+Get-MgDomainFederationConfiguration -DomainId $DomainId |fl
+```
 
-`Get-MsolDomainFederationSettings -DomainName <your federated domain name>`
+To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain.
 
-To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
+```powershell
+Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp
+```
 
-`Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
-
-Example:
-
-`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
-
-If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
+If you use configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP.
 
 ## Use Intune to disable Windows Hello for Business enrollment
 
@@ -58,11 +58,11 @@ The following method explains how to disable Windows Hello for Business enrollme
 
 ## Disable Windows Hello for Business enrollment without Intune
 
-If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Azure AD Joined only, and not domain joined, these settings can also be made manually in the registry.
+If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Microsoft Entra joined only, and not domain joined, these settings can also be made manually in the registry.
 
 Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 
-To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
 
 ```msgraph-interactive
 GET https://graph.microsoft.com/v1.0/organization?$select=id
@@ -82,12 +82,3 @@ These registry settings can be applied from Local or Group Policies:
 - Value = **0** for Disable or Value = **1** for Enable
 
 If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
-
-## Related reference documents for Azure AD join scenarios
-
-- [Azure AD-joined devices](/azure/active-directory/devices/concept-azure-ad-join)
-- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
-- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
-- [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin)
-- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
-- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 744816323d..dbdfe3cab6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,7 +1,7 @@
 ---
 title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model
 description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index b3059ee0c0..8a414df385 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -4,7 +4,7 @@ description: Configure Windows Hello for Business Policy settings for Windows He
 ms.collection: 
 - highpri
 - tier1
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 ms.topic: tutorial
 ---
 # Configure Windows Hello for Business group policy settings - on-premises certificate Trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 455d4055a2..220079357a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,7 +1,7 @@
 ---
 title: Validate Active Directory prerequisites in an on-premises certificate trust
 description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index c7b67abec3..087d2813e3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,7 +1,7 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
-description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
-ms.date: 12/13/2022
+description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -11,21 +11,21 @@ appliesto:
 ms.topic: tutorial
 ---
 
-# Validate and deploy multi-factor authentication - on-premises certificate trust
+# Validate and deploy multifactor authentication - on-premises certificate trust
 
 [!INCLUDE [hello-on-premises-cert-trust](./includes/hello-on-premises-cert-trust.md)]
 
-Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
+Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
 - third-party authentication providers for AD FS
 - custom authentication provider for AD FS
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
 
 For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method).
 
-Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
+> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 6174ed348a..e98fede731 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,7 +1,7 @@
 ---
 title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model
 description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 70a5ee4feb..04edf25531 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business deployment guide for the on-premises certificate trust model
 description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 35b4058caa..8b24e78f64 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -30,9 +30,9 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
 
 ## Deployment and trust models
 
-Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
+Windows Hello for Business has three deployment models: Microsoft Entra cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
 
-Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
+Hybrid deployments are for enterprises that use Microsoft Entra ID. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Microsoft Entra ID must use the hybrid deployment model for all domains in that forest.
 
 The trust model determines how you want users to authenticate to the on-premises Active Directory:
 
@@ -42,18 +42,18 @@ The trust model determines how you want users to authenticate to the on-premises
 - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
 
 > [!Note]
-> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
 
 Following are the various deployment guides and models included in this topic:
 
-- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
-- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
+- [Microsoft Entra hybrid joined Key Trust Deployment](hello-hybrid-key-trust.md)
+- [Microsoft Entra hybrid joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
+- [Microsoft Entra join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
 - [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
 - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 7882589fd0..b5c4e51668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -8,13 +8,15 @@ ms.topic: troubleshooting
 
 The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business.
 
-## PIN reset on Azure AD join devices fails with *We can't open that page right now* error
+<a name='pin-reset-on-azure-ad-join-devices-fails-with-we-cant-open-that-page-right-now-error'></a>
 
-PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
+## PIN reset on Microsoft Entra join devices fails with *We can't open that page right now* error
+
+PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*.
 
 ### Identify PIN Reset allowed domains issue
 
-The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Azure AD Join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Azure AD credentials and completes MFA.
+The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
 
 In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
 
@@ -22,7 +24,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to
 
 ### Resolve PIN Reset allowed domains issue
 
-To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Azure AD joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
+To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
 
 ## Hybrid key trust sign in broken due to user public key deletion
 
@@ -32,11 +34,11 @@ Applies to:
 - Windows Server 2016, builds 14393.3930 to 14393.4048
 - Windows Server 2019, builds 17763.1457 to 17763.1613
 
-In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Azure AD Connect delta sync cycle.
+In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Microsoft Entra Connect delta sync cycle.
 
 ### Identify user public key deletion issue
 
-After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object.
+After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Microsoft Entra ID to Active Directory during a Microsoft Entra Connect Sync cycle. The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object.
 
 Before the user's Windows Hello for Business key syncs, sign-ins with Windows Hello for Business fail with the error message *That option is temporarily unavailable. For now, please use a different method to sign in.* After the key syncs successfully, the user can sign in and unlock with their PIN or enrolled biometrics.
 
@@ -48,14 +50,16 @@ After the initial sign-in attempt, the user's Windows Hello for Business public
 
 To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)).
 
-## Azure AD joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
+<a name='azure-ad-joined-device-access-to-on-premises-resources-using-key-trust-and-third-party-certificate-authority-ca'></a>
+
+## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA)
 
 Applies to:
 
-- Azure AD joined key trust deployments
+- Microsoft Entra joined key trust deployments
 - Third-party certificate authority (CA) issuing domain controller certificates
 
-Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates.
+Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from a Microsoft Entra joined device does require special configuration when using a third-party CA to issue domain controller certificates.
 
 For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities).
 
@@ -104,7 +108,7 @@ Domain controllers running early versions of Windows Server 2019 have an issue t
 
 On the client, authentication with Windows Hello for Business fails with the error message, *That option is temporarily unavailable. For now, please use a different method to sign in.*
 
-The error is presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Azure AD to AD. If a user's key isn't synced from Azure AD and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs.
+The error is presented on Microsoft Entra hybrid joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Microsoft Entra ID to Active Directory. If a user's key isn't synced from Microsoft Entra ID and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs.
 
 Another indicator of the failure can be identified using network traces. If you capture network traces for a key trust sign-in event, the traces show Kerberos failing with the error *KDC_ERR_CLIENT_NAME_MISMATCH*.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 65be112a27..315ce4361f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -18,13 +18,13 @@ This document describes Windows Hello for Business functionalities or scenarios
 Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
 
 - Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
-- Deploy certificates to hybrid or Azure AD-joined devices using Intune
+- Deploy certificates to hybrid or Microsoft Entra joined devices using Intune
 - Work with third-party PKIs
 
 ## Deploy certificates via Active Directory Certificate Services (AD CS)
 
 > [!NOTE]
-> This process is applicable to *hybrid Azure AD joined* devices only.
+> This process is applicable to *Microsoft Entra hybrid joined* devices only.
 
 To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
 
@@ -77,7 +77,7 @@ Follow these steps to create a certificate template:
 
 ### Request a certificate
 
-1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
+1. Sign in to a client that is Microsoft Entra hybrid joined, ensuring that the client has line of sight to a domain controller and the issuing CA
 1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
 1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
 1. On the Certificate Enrollment screen, select **Next**
@@ -88,17 +88,17 @@ Follow these steps to create a certificate template:
 ## Deploy certificates via Intune
 
 > [!CAUTION]
-> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
+> This process is applicable to both *Microsoft Entra joined* and *Microsoft Entra hybrid joined* devices that are managed via Intune.
 >
 > If you deploy certificates via Intune and configure Windows Hello for Business via group policy, the devices will fail to obtain a certificate, logging the error code `0x82ab0011` in the `DeviceManagement-Enterprise-Diagnostic-Provider` log.\
 > To avoid the error, configure Windows Hello for Business via Intune instead of group policy.
 
-Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
+Deploying a certificate to Microsoft Entra joined or Microsoft Entra hybrid joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
 
 - [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
 - [Configure and use PKCS certificates with Intune][MEM-2]
 
-Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
+Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Microsoft Entra joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
 
 Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index e63b129275..d048d6409f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -22,15 +22,15 @@ When a user encounters an error when creating the work PIN, advise the user to t
 1. Try to create the PIN again. Some errors are transient and resolve themselves.
 2. Sign out, sign in, and try to create the PIN again.
 3. Reboot the device and then try to create the PIN again.
-4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
+4. Unjoin the device from Microsoft Entra ID, rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
 
 If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
 
 | Hex        | Cause                                                              | Mitigation                                  |
 | :--------- | :----------------------------------------------------------------- | :------------------------------------------ |
-| 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Azure AD and rejoin. |
-| 0x8009000F | The container or key already exists.                               | Unjoin the device from Azure AD and rejoin. |
-| 0x80090011 | The container or key was not found.                                | Unjoin the device from Azure AD and rejoin. |
+| 0x80090005 | NTE\_BAD\_DATA                                                     | Unjoin the device from Microsoft Entra ID and rejoin. |
+| 0x8009000F | The container or key already exists.                               | Unjoin the device from Microsoft Entra ID and rejoin. |
+| 0x80090011 | The container or key was not found.                                | Unjoin the device from Microsoft Entra ID and rejoin. |
 | 0x80090029 | TPM is not set up.                                                 | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
 | 0x8009002A | NTE\_NO\_MEMORY                                                    | Close programs which are taking up memory and try again. |
 | 0x80090031 | NTE\_AUTHENTICATION\_IGNORED                                       | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
@@ -50,11 +50,11 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C03EA | Server failed to authorize user or device.                         | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
 | 0x801C03EB | Server response http status is not valid                           | Sign out and then sign in again. |
 | 0x801C03EC | Unhandled exception from server.                                   | sign out and then sign in again. |
-| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Azure AD under Azure AD Device settings.
+| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure  AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings.
 | 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
 | 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
-| 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address.
+| 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Microsoft Entra ID and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |
 | 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| 
@@ -86,6 +86,5 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801C03F0  | ​There is no key registered for the user. |
 | 0x801C03F1  | ​There is no UPN in the token. |
 | ​0x801C044C  | There is no core window for the current thread. |
-| 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
+| 0x801c004D  | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Microsoft Entra token for provisioning. Unable to enroll a device to use a PIN for login. |
 | 0xCAA30193  | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 04b493aa73..e289afe305 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -36,7 +36,7 @@ sections:
       - question: What's a container?
         answer: |
           In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
-          The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
+          The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID.
           
           > [!NOTE]
           > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders.
@@ -46,7 +46,7 @@ sections:
 
           Containers can contain several types of key material:
             - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
-            - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+            - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
               - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
               - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI.
       - question: How are keys protected?
@@ -54,7 +54,7 @@ sections:
           Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IDP before the IDP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
       - question: How does PIN caching work with Windows Hello for Business?
         answer: |
-          Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. 
+          Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. 
           
           Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. 
           
@@ -70,9 +70,9 @@ sections:
           Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it.
       - question: What's the difference between non-destructive and destructive PIN reset?
         answer: |
-          Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
+          Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Microsoft Entra ID can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
           
-          Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then  performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
+          Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then  performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For Microsoft Entra hybrid joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
       - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
         answer: |
           Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
@@ -123,7 +123,7 @@ sections:
           No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
       - question: What is Event ID 300?
         answer: |
-          This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
+          This event is created when Windows Hello for Business is successfully created and registered with Microsoft Entra ID. Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
       - question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
         answer: |
           The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
@@ -142,12 +142,12 @@ sections:
       - question: How many users can enroll for Windows Hello for Business on a single Windows device?
         answer: |
           The maximum number of supported enrollments on a single device is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, or for users that sign-in to many devices (for example, a support technician), it's recommended the use of FIDO2 security keys.
-      - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
+      - question: I have extended Active Directory to Microsoft Entra ID. Can I use the on-premises deployment model?
         answer: |
           No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
-      - question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
+      - question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business?
         answer: |
-          Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
+          Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes.
       - question: Can I use third-party MFA providers with Windows Hello for Business?
         answer: |
           Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
@@ -170,21 +170,21 @@ sections:
       - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
         answer: |
           Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint.
-      - question: How does Windows Hello for Business work with Azure AD registered devices?
+      - question: How does Windows Hello for Business work with Microsoft Entra registered devices?
         answer: |
-          A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices  if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
+          A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices  if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
 
-          If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. 
+          If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. 
 
-          It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. 
+          It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. 
 
-          For more information, please read [Azure AD registered devices](/azure/active-directory/devices/concept-azure-ad-register).
+          For more information, please read [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
       - question: Does Windows Hello for Business work with non-Windows operating systems?
         answer: |
           Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
-      - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
+      - question: Does Windows Hello for Business work with Microsoft Entra Domain Services clients?
         answer: |
-          No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.
+          No, Microsoft Entra Domain Services is a separately managed environment in Azure, and hybrid device registration with cloud Microsoft Entra ID isn't available for it via Microsoft Entra Connect. Hence, Windows Hello for Business doesn't work with Microsoft Entra Domain Services.
       - question: Is Windows Hello for Business considered multifactor authentication?
         answer: |
           Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
@@ -200,9 +200,9 @@ sections:
       - question: What is convenience PIN?
         answer: |
           *Convenience PIN* provides a simpler way to sign in to Windows than passwords, but it still uses a password for authentication. When the correct convenience PIN is provided to Windows, the password information is loaded from its cache and authenticates the user. Organizations using convenience PINs should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs.
-      - question: Can I use a convenience PIN with Azure Active Directory?
+      - question: Can I use a convenience PIN with Microsoft Entra ID?
         answer: |
-          No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
+          No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users.
       - question: What about virtual smart cards?
         answer: |
           Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
@@ -231,7 +231,7 @@ sections:
     questions:
       - question: What is Windows Hello for Business cloud Kerberos trust?
         answer: |
-          Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
+          Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
       - question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
         answer: |
           This feature doesn't work in a pure on-premises AD domain services environment.
@@ -254,7 +254,7 @@ sections:
     questions:
       - question: Why does authentication fail immediately after provisioning hybrid key trust?
         answer: |
-          In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
+          In a hybrid deployment, a user's public key must sync from Microsoft Entra ID to Active Directory before it can be used to authenticate against a domain controller. This sync is handled by Microsoft Entra Connect and will occur during a normal sync cycle.
       - question: Can I use Windows Hello for Business key trust and RDP?
         answer: |
-          Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
+          Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 9f0e8d48ae..bf642eef73 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -26,7 +26,7 @@ Windows Hello for Business provides the capability for users to reset forgotten
 - Hybrid or cloud-only Windows Hello for Business deployments
 - Windows Enterprise, Education and Pro editions. There's no licensing requirement for this feature
 
-When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
+When non-destructive PIN reset is enabled on a client, a *256-bit AES* key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the *PIN reset protector*. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Microsoft Entra ID, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
 
 Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN reset service, which enables users to reset their forgotten PIN without requiring re-enrollment.
 
@@ -35,15 +35,17 @@ The following table compares destructive and non-destructive PIN reset:
 |Category|Destructive PIN reset|Non-Destructive PIN reset|
 |--- |--- |--- |
 |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
-|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
-|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for hybrid Azure AD joined and Azure AD Joined devices.|
+|**Microsoft Entra joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
+|**Microsoft Entra hybrid joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this option from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
+|**On Premises**|If AD FS is used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Microsoft Entra identities, so it's only available for Microsoft Entra hybrid joined and Microsoft Entra joined devices.|
 |**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.|
 |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
 
-## Enable the Microsoft PIN Reset Service in your Azure AD tenant
+<a name='enable-the-microsoft-pin-reset-service-in-your-azure-ad-tenant'></a>
 
-Before you can use non-destructive PIN reset, you must register two applications in your Azure Active Directory tenant:
+## Enable the Microsoft PIN Reset Service in your Microsoft Entra tenant
+
+Before you can use non-destructive PIN reset, you must register two applications in your Microsoft Entra tenant:
 
 - Microsoft Pin Reset Service Production
 - Microsoft Pin Reset Client Production
@@ -52,7 +54,7 @@ To register the applications, follow these steps:
 
 :::row:::
   :::column span="3":::
-  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
+  1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pinreset/pin-reset-service-prompt.png" lightbox="images/pinreset/pin-reset-service-prompt.png" border="true":::
@@ -60,7 +62,7 @@ To register the applications, follow these steps:
 :::row-end:::
 :::row:::
   :::column span="3":::
-  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Azure Active Directory tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
+  2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign in using a *Global Administrator* account you use to manage your Microsoft Entra tenant. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pinreset/pin-reset-client-prompt.png" lightbox="images/pinreset/pin-reset-client-prompt.png" border="true":::
@@ -68,7 +70,9 @@ To register the applications, follow these steps:
 :::row-end:::
 :::row:::
   :::column span="3":::
-  3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization
+  3. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to confirm consent to both applications to access your organization.
+  >[!NOTE]
+  >After acceptance, the redirect page will show a blank page. This is a known behavior.
   :::column-end:::
   :::column span="1":::
     :::image type="content" alt-text="Screenshot showing the PIN reset service permissions final page." source="images/pinreset/pin-reset-service-prompt-2.png" lightbox="images/pinreset/pin-reset-service-prompt-2.png" border="true":::
@@ -78,7 +82,7 @@ To register the applications, follow these steps:
 ### Confirm that the two PIN Reset service principals are registered in your tenant
 
 1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
-1. Select **Azure Active Directory > Applications > Enterprise applications**
+1. Select **Microsoft Entra ID > Applications > Enterprise applications**
 1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list
    :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png":::
 
@@ -111,10 +115,10 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 
 | OMA-URI |Data type| Value|
 |-|-|-|
-| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | Tue |
+| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True |
 
 >[!NOTE]
-> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
+> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
 
 ```msgraph-interactive
 GET https://graph.microsoft.com/v1.0/organization?$select=id
@@ -122,11 +126,12 @@ GET https://graph.microsoft.com/v1.0/organization?$select=id
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
-[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**:
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
+[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
 
-| Group policy setting | Value |
-| - | - |
-| **Use PIN Recovery** | **Enabled** |
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+|**Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**| Use PIN Recovery | Enabled |
 
 [!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)]
 
@@ -174,12 +179,14 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
 +----------------------------------------------------------------------+
 ```
 
-## Configure allowed URLs for federated identity providers on Azure AD joined devices
+<a name='configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices'></a>
 
-**Applies to:** Azure AD joined devices
+## Configure allowed URLs for federated identity providers on Microsoft Entra joined devices
 
-PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *We can't open that page right now*.\
-If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+**Applies to:** Microsoft Entra joined devices
+
+PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: *"We can't open that page right now"*.\
+If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
 
 [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -196,14 +203,14 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 | <li> OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` </li><li>Data type: String </li><li>Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com**</li>|
 
 > [!NOTE]
-> For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
+> For Azure Government, there is a known issue with PIN reset on Microsoft Entra joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, *"We can't open that page right now"*. The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
 
 ## Use PIN reset
 
 Destructive and non-destructive PIN reset scenarios use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen with the *PIN credential provider*. Users must authenticate and complete multi-factor authentication to reset their PIN. After PIN reset is complete, users can sign in using their new PIN.
 
 >[!IMPORTANT]
->For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
+>For Microsoft Entra hybrid joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
 
 ### Reset PIN from Settings
 
@@ -213,7 +220,7 @@ Destructive and non-destructive PIN reset scenarios use the same steps for initi
 
 ### Reset PIN from the lock screen
 
-For Azure AD-joined devices:
+For Microsoft Entra joined devices:
 
 1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon
 1. Select **I forgot my PIN** from the PIN credential provider
@@ -223,7 +230,7 @@ For Azure AD-joined devices:
 
 :::image type="content" alt-text="Animation showing the PIN reset experience from the lock screen." source="images/pinreset/pin-reset.gif" border="false":::
 
-For Hybrid Azure AD-joined devices:
+For Microsoft Entra hybrid joined devices:
 
 1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon
 1. Select **I forgot my PIN** from the PIN credential provider
@@ -232,14 +239,14 @@ For Hybrid Azure AD-joined devices:
 1. When finished, unlock your desktop using your newly created PIN
 
 > [!NOTE]
-> Key trust on hybrid Azure AD-joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
+> Key trust on Microsoft Entra hybrid joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
 
-You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 
 <!--links-->
 
 [CSP-1]: /windows/client-management/mdm/passportforwork-csp
 [CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
 [INT-1]: /mem/intune/configuration/settings-catalog
-[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&redirect_uri=https%3A%2F%2Fcred.microsoft.com&prompt=admin_consent
-[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&prompt=admin_consent
+[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
+[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 736e333462..8e7e89b38e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,10 +1,10 @@
 ---
 title: Remote Desktop
 description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-ms.date: 02/24/2021
+ms.date: 09/01/2023
 ms.topic: conceptual
 ms.collection:
-  - tier1
+- tier1
 ---
 
 # Remote Desktop
@@ -12,9 +12,9 @@ ms.collection:
 **Requirements**
 
 - Hybrid and On-premises Windows Hello for Business deployments
-- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Microsoft Entra joined, Microsoft Entra hybrid joined, and Enterprise joined devices
 
-Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection.
+Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection.
 
 Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release.
 
@@ -23,38 +23,27 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
 **Requirements**
 
 - Hybrid and On-premises Windows Hello for Business deployments
-- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Microsoft Entra joined, Microsoft Entra hybrid joined, and Enterprise joined devices
 - Biometric enrollments
 
 The ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric is on by default.
 
 ### How does it work
 
-Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP).  Software-based keys are created and stored using the Microsoft Software Key Storage Provider.  Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider.  Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
+Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
 
-A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP.  Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store.  The private key remains on the smart card and the public key is stored with the certificate.  Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) stores the key storage provider used to create the key (remember the certificate contains the public key).
 
-This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric).  The certificate APIs hide this complexity.  When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider.  The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate.  This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
+The same concept applies to Windows Hello for Business, except that the keys are created using the Microsoft Passport KSP. The user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide the complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers direct the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
 
-Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN.
+Windows Hello for Business emulates a smart card for application compatibility, and the Microsoft Passport KSP prompts the user for their biometric gesture or PIN.
 
 ### Compatibility
 
-Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates.  You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
 
 > [!div class="mx-imgBorder"]
 > ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png)
 
 > [!IMPORTANT]
-> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials.  Microsoft continues to investigate supporting the feature.
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 313d215066..36755630f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -6,75 +6,87 @@ ms.topic: reference
 ---
 # Windows Hello for Business authentication
 
-Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
+Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Microsoft Entra ID and Active Directory resources.
 
-Azure AD-joined devices authenticate to Azure AD during sign-in and can, optionally, authenticate to Active Directory. Hybrid Azure AD-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure AD in the background.
+Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in and can, optionally, authenticate to Active Directory. Microsoft Entra hybrid joined devices authenticate to Active Directory during sign-in, and authenticate to Microsoft Entra ID in the background.
 
-## Azure AD join authentication to Azure AD
+<a name='azure-ad-join-authentication-to-azure-ad'></a>
 
-![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png)
+## Microsoft Entra join authentication to Microsoft Entra ID
+
+![Microsoft Entra join authentication to Microsoft Entra ID.](images/howitworks/auth-aadj-cloud.png)
 
 > [!NOTE]
-> All Azure AD-joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
+> All Microsoft Entra joined devices authenticate with Windows Hello for Business to Microsoft Entra ID the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
 
 | Phase  | Description  |
 | :----: | :----------- |
 |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
-|B | The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
-|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  Azure AD then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
+|B | The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
+|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
 |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
-## Azure AD join authentication to Active Directory using cloud Kerberos trust
+<a name='azure-ad-join-authentication-to-active-directory-using-cloud-kerberos-trust'></a>
 
-![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
+## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
+
+![Microsoft Entra join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
-|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
+|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
 
-## Azure AD join authentication to Active Directory using a key
+<a name='azure-ad-join-authentication-to-active-directory-using-a-key'></a>
 
-![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png)
+## Microsoft Entra join authentication to Active Directory using a key
+
+![Microsoft Entra join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
-> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
+> You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
 
-## Azure AD join authentication to Active Directory using a certificate
+<a name='azure-ad-join-authentication-to-active-directory-using-a-certificate'></a>
 
-![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png)
+## Microsoft Entra join authentication to Active Directory using a certificate
+
+![Microsoft Entra join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed preauthentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
-> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
+> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
 
-## Hybrid Azure AD join authentication using cloud Kerberos trust
+<a name='hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust'></a>
 
-![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
+## Microsoft Entra hybrid join authentication using cloud Kerberos trust
+
+![Microsoft Entra hybrid join authentication using Microsoft Entra Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
-|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
-|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
+|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
+|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
 |D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
-## Hybrid Azure AD join authentication using a key
+<a name='hybrid-azure-ad-join-authentication-using-a-key'></a>
 
-![Hybrid Azure AD join authentication using a key.](images/howitworks/auth-haadj-keytrust.png)
+## Microsoft Entra hybrid join authentication using a key
+
+![Microsoft Entra hybrid join authentication using a key.](images/howitworks/auth-haadj-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -83,15 +95,17 @@ Azure AD-joined devices authenticate to Azure AD during sign-in and can, optiona
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
 |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 |E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.  Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
 > [!IMPORTANT]
-> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
+> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
 
-## Hybrid Azure AD join authentication using a certificate
+<a name='hybrid-azure-ad-join-authentication-using-a-certificate'></a>
 
-![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png)
+## Microsoft Entra hybrid join authentication using a certificate
+
+![Microsoft Entra hybrid join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -100,8 +114,8 @@ Azure AD-joined devices authenticate to Azure AD during sign-in and can, optiona
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
 |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 |E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.  Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
 > [!IMPORTANT]
 > In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 219e82d35c..dc5f922db7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,106 +2,116 @@
 title: How Windows Hello for Business works - Provisioning
 description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
 ms.date: 2/15/2022
-ms.topic: article
+ms.topic: overview
 ---
 # Windows Hello for Business Provisioning
 
 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication.  Provisioning experience vary based on:
 
-- How the device is joined to Azure Active Directory
+- How the device is joined to Microsoft Entra ID
 - The Windows Hello for Business deployment type
 - If the environment is managed or federated
 
 List of provisioning flows:
 
-- [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
-- [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
-- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
-- [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
-- [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
+- [Microsoft Entra joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
+- [Microsoft Entra joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
+- [Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
+- [Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
+- [Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
 - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
 - [Domain joined provisioning in an On-premises certificate trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
 
 > [!NOTE]
 > The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
 
-## Azure AD joined provisioning in a managed environment
+<a name='azure-ad-joined-provisioning-in-a-managed-environment'></a>
 
-![Azure AD joined provisioning in a managed environment.](images/howitworks/prov-aadj-managed.png)
+## Microsoft Entra joined provisioning in a managed environment
+
+![Microsoft Entra joined provisioning in a managed environment.](images/howitworks/prov-aadj-managed.png)
 [Full size image](images/howitworks/prov-aadj-managed.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application which signals the end of user provisioning and the application exits.|
 
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Azure AD joined provisioning in a federated environment
+<a name='azure-ad-joined-provisioning-in-a-federated-environment'></a>
 
-![Azure AD joined provisioning in federated environment.](images/howitworks/prov-aadj-federated.png)
+## Microsoft Entra joined provisioning in a federated environment
+
+![Microsoft Entra joined provisioning in federated environment.](images/howitworks/prov-aadj-federated.png)
 [Full size image](images/howitworks/prov-aadj-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Azure Active Directory.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application which signals the end of user provisioning and the application exits.|
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment
+<a name='hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment'></a>
 
-![Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
+## Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment
+
+![Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
 [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 |:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |   B   | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                         |
-|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.  |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application which signals the end of user provisioning and the application exits.  |
 
 > [!NOTE]
-> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
+> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential.
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment
+<a name='hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment'></a>
 
-![Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
+## Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment
+
+![Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
 [Full size image](images/howitworks/prov-haadj-keytrust-managed.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 |:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |   B   | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                         |
-|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.                                                                                                                                                                                                                                                                                                                                                         |
-|   D   | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. Azure Active Directory Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application which signals the end of user provisioning and the application exits.                                                                                                                                                                                                                                                                                                                                                         |
+|   D   | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 
 > [!IMPORTANT]
-> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+> The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory.
 
 [Return to top](#windows-hello-for-business-provisioning)
 
-## Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment
+<a name='hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment'></a>
 
-![Hybrid Azure AD joined provisioning in a synchronous Certificate trust deployment in a federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+## Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment
+
+![Microsoft Entra hybrid joined provisioning in a synchronous Certificate trust deployment in a federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 [Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |:-----:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Azure Active Directory.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise token on successful MFA.  The application sends the token to Microsoft Entra ID.<br>Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
 |   B   | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID and a key receipt to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 |   D   | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br>  After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 |   E   | The registration authority validates the public key in the certificate request matches a registered key for the user.<br>  If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.<br>After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 |   F   | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
 |   G   | The application receives the newly issued certificate and installs it into the Personal store of the user.  This signals the end of provisioning.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 
 > [!IMPORTANT]
-> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
+> Synchronous certificate enrollment does not depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Key Trust deployment
@@ -110,7 +120,7 @@ List of provisioning flows:
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
 | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
 |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
 
@@ -122,7 +132,7 @@ List of provisioning flows:
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.<br>  In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues an enterprise DRS token on successful MFA.|
 | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
 |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
 |D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br>  After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index b1338f11e5..be3cce3029 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,7 +2,7 @@
 title: How Windows Hello for Business works - technology and terms
 description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
 ms.date: 10/08/2018
-ms.topic: article
+ms.topic: glossary
 ---
 
 # Technology and terms
@@ -32,32 +32,44 @@ In the issued AIK certificate, a special OID is added to attest that endorsement
 - [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
 - [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
 
-## Azure Active Directory join
+<a name='azure-active-directory-join'></a>
 
-Azure Active Directory (Azure AD) join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Azure AD join. Azure AD join also works in a hybrid environment and can enable access to on-premises applications and resources.
+## Microsoft Entra join
 
-### Related to Azure AD join
+Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources.
+
+<a name='related-to-azure-ad-join'></a>
+
+### Related to Microsoft Entra join
 
 - [Join type](#join-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 
-### More information about Azure AD join
+<a name='more-information-about-azure-ad-join'></a>
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
+### More information about Microsoft Entra join
 
-## Azure AD registration
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
 
-The goal of Azure AD-registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Azure AD-controlled resources using a personal device.
+<a name='azure-ad-registration'></a>
 
-### Related to Azure AD registration
+## Microsoft Entra registration
 
-- [Azure AD join](#azure-active-directory-join)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device.
+
+<a name='related-to-azure-ad-registration'></a>
+
+### Related to Microsoft Entra registration
+
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Join type](#join-type)
 
-### More information about Azure AD registration
+<a name='more-information-about-azure-ad-registration'></a>
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
+### More information about Microsoft Entra registration
+
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview).
 
 ## Certificate trust
 
@@ -66,7 +78,7 @@ The certificate trust model uses a securely issued certificate based on the user
 ### Related to certificate trust
 
 - [Deployment type](#deployment-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [Cloud Kerberos trust](#cloud-kerberos-trust)
 - [Key trust](#key-trust)
@@ -79,18 +91,18 @@ The certificate trust model uses a securely issued certificate based on the user
 
 ## Cloud deployment
 
-The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD-joined or Azure AD-registered devices.
+The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices.
 
 ### Related to cloud deployment
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
 - [Deployment type](#deployment-type)
 - [Join type](#join-type)
 
 ## Cloud experience host
 
-In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
+In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
 
 ### Related to cloud experience host
 
@@ -111,7 +123,7 @@ Giving the simplicity offered by this model, cloud Kerberos trust is the recomme
 ### Related to cloud Kerberos trust
 
 - [Deployment type](#deployment-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [Key trust](#key-trust)
 - [On-premises deployment](#on-premises-deployment)
@@ -168,7 +180,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
 
 ## Federated environment
 
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
+Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID.
 
 ### Related to federated environment
 
@@ -179,9 +191,11 @@ Primarily for large enterprise organizations with more complex authentication re
 
 ### More information about federated environment
 
-[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
-## Hybrid Azure AD join
+<a name='hybrid-azure-ad-join'></a>
+
+## Microsoft Entra hybrid join
 
 For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
 
@@ -190,27 +204,31 @@ For more than a decade, many organizations have used the domain join to their on
 
 Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
 
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure AD, you can implement hybrid Azure AD-joined devices. These devices are joined to both your on-premises Active Directory and your Azure AD.
+If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID.
 
-### Related to hybrid Azure AD join
+<a name='related-to-hybrid-azure-ad-join'></a>
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
+### Related to Microsoft Entra hybrid join
+
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
 - [Hybrid deployment](#hybrid-deployment)
 
-### More information about hybrid Azure AD join
+<a name='more-information-about-hybrid-azure-ad-join'></a>
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
+### More information about Microsoft Entra hybrid join
+
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
 
 ## Hybrid deployment
 
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
 
 ### Related to hybrid deployment
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 
 ### More information about hybrid deployment
 
@@ -218,23 +236,23 @@ The Windows Hello for Business hybrid deployment is for organizations that have
 
 ## Join type
 
-Join type is how devices are associated with Azure AD. For a device to authenticate to Azure AD it must be registered or joined.
+Join type is how devices are associated with Microsoft Entra ID. For a device to authenticate to Microsoft Entra it must be registered or joined.
 
-Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
+Registering a device to Microsoft Entra ID enables you to manage a device's identity. When a device is registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Microsoft Entra ID. You can use the identity to enable or disable a device.
 
-When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
+When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
 
 Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
 
 ### Related to join type
 
-- [Azure AD join](#azure-active-directory-join)
-- [Azure AD registration](#azure-ad-registration)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra join](#azure-active-directory-join)
+- [Microsoft Entra registration](#azure-ad-registration)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 
 ### More information about join type
 
-[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
+[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview)
 
 ## Key trust
 
@@ -245,7 +263,7 @@ The key trust model uses the user's Windows Hello for Business identity to authe
 - [Cloud Kerberos trust](#cloud-kerberos-trust)
 - [Certificate trust](#certificate-trust)
 - [Deployment type](#deployment-type)
-- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Microsoft Entra hybrid join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [On-premises deployment](#on-premises-deployment)
 - [Trust type](#trust-type)
@@ -256,7 +274,7 @@ The key trust model uses the user's Windows Hello for Business identity to authe
 
 ## Managed environment
 
-Managed environments are for non-federated environments where Azure AD manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
+Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
 
 ### Related to managed environment
 
@@ -280,7 +298,7 @@ The Windows Hello for Business on-premises deployment is for organizations that
 
 ## Pass-through authentication
 
-Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
 
 ### Related to pass-through authentication
 
@@ -290,11 +308,11 @@ Pass-through authentication provides a simple password validation for Azure AD a
 
 ### More information about pass-through authentication
 
-[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
 ## Password hash sync
 
-Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Password hash sync is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.
 
 ### Related to password hash sync
 
@@ -304,13 +322,13 @@ Password hash sync is the simplest way to enable authentication for on-premises
 
 ### More information about password hash sync
 
-[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
 ## Primary refresh token
 
-Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
+Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
 
-The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Azure AD joined and hybrid Azure AD-joined devices. For personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
+The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
 
 The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
 
@@ -330,7 +348,7 @@ The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of
 
 ## Trust type
 
-The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Azure AD. Windows Hello for Business authentication to Azure AD always uses the key, not a certificate (excluding smart card authentication in a federated environment).
+The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment).
 
 ### Related to trust type
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 93bfd6d56a..ee893787c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,11 +2,11 @@
 title: How Windows Hello for Business works
 description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
 ms.date: 05/05/2018
-ms.topic: article
+ms.topic: overview
 ---
 # How Windows Hello for Business works in Windows Devices
 
-Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices.
 
 Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
 > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
@@ -17,7 +17,7 @@ Windows Hello for Business is a distributed system that uses several components
 
 ### Device Registration
 
-Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
 
 For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 3eeb4f536d..fab3db4894 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,6 +1,6 @@
 ---
-title: Use Certificates to enable SSO for Azure AD join devices
-description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
+title: Use Certificates to enable SSO for Microsoft Entra join devices
+description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
 ms.date: 08/19/2018
 ms.topic: how-to
 ---
@@ -9,14 +9,14 @@ ms.topic: how-to
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cert-trust-aad.md)]
 
-If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
+If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Microsoft Entra joined devices.
 
 > [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
+> Ensure you have performed the configurations in [Microsoft Entra joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
 
 Steps you'll perform include:
 
-- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
+- [Prepare Microsoft Entra Connect](#prepare-azure-ad-connect)
 - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
 - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
 - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
@@ -26,7 +26,7 @@ Steps you'll perform include:
 
 ## Requirements
 
-You need to install and configure additional infrastructure to provide Azure AD-joined devices with on-premises single-sign on.
+You need to install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on.
 
 - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
 - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
@@ -43,29 +43,33 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
 - Encryption
 - Signature and Encryption
 
-If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers.  Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
+If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers.  Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
 
 ### Network Requirements
 
 All communication occurs securely over port 443.
 
-## Prepare Azure AD Connect
+<a name='prepare-azure-ad-connect'></a>
+
+## Prepare Microsoft Entra Connect
 
 Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain.  The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
 
 Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller.  Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
 
-To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute.  Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
+To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute.  Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
 
-### Verify Azure Active Directory Connect version
+<a name='verify-azure-active-directory-connect-version'></a>
 
-Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
+### Verify Microsoft Entra Connect version
 
-1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_.
+
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
 
 2. In the **Synchronization Service Manager**, select **Help** and then select **About**.
 
-3. If the version number isn't **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
+3. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
 
@@ -80,7 +84,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
 
 3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
 
-4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory.  Select **Run query**.
+4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID.  Select **Run query**.
 
 > [!NOTE]
 > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -232,7 +236,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
 
 - Configure the certificate authority to let Intune provide validity periods
 - Create an NDES-Intune Authentication Certificate template
-- Create an Azure AD joined Windows Hello for Business authentication certificate template
+- Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
 - Publish certificate templates
 
 ### Configure the certificate authority to let Intune provide validity periods
@@ -283,7 +287,9 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 
 11. Select on the **Apply** to save changes and close the console.
 
-### Create an Azure AD joined Windows Hello for Business authentication certificate template
+<a name='create-an-azure-ad-joined-windows-hello-for-business-authentication-certificate-template'></a>
+
+### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
 
 During Windows Hello for Business provisioning,  Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
 
@@ -455,13 +461,13 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 5. Select **Add**.
 
-6. Select **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **HOST**.  Select **OK**.
+6. Select **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices.  From the **Available services** list, select **HOST**.  Select **OK**.
 
    ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 
 7. Repeat steps 5 and 6 for each NDES server using this service account. Select **Add**.
 
-8. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Select **OK**.
+8. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Microsoft Entra joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Select **OK**.
 
 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
 
@@ -534,7 +540,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 
 1. Open an elevated command prompt.
 
-2. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
+2. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices.
 
 3. Type the following command:
 
@@ -542,7 +548,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
    ```
 
-   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD-joined devices.  Example:
+   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Microsoft Entra joined devices.  Example:
 
    ```console
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
@@ -557,13 +563,13 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 
 ### Create a Web Application Proxy for the internal NDES URL.
 
-Certificate enrollment for Azure AD-joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy.  Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
+Certificate enrollment for Microsoft Entra joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Microsoft Entra application proxy.  Microsoft Entra application proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
 
-Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Azure AD Application Proxies.
+Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
 
-Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
 
-Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
+Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
 
 #### Download and Install the Application Proxy Connector Agent
 
@@ -571,7 +577,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Under **MANAGE**, select **Application proxy**.
 
@@ -582,7 +588,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
 
    > [!IMPORTANT]
-   > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+   > Install a minimum of two Microsoft Entra ID Proxy connectors for each NDES Application Proxy.  Strategically locate Microsoft Entra application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 
@@ -598,7 +604,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
 
-10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
+10. Repeat steps 5 - 10 for each device that will run the Microsoft Entra application proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
 
@@ -606,7 +612,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Under **MANAGE**, select **Application proxy**.
 
@@ -626,17 +632,17 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Under **MANAGE**, select **Application proxy**.
 
 4. Select **Configure an app**.
 
-5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers can't share the same internal URL.
+5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Microsoft Entra application proxy setting with the on-premises NDES server.  Each NDES server must have its own Microsoft Entra application proxy as two NDES servers can't share the same internal URL.
 
-6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Microsoft Entra application proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 
-7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Microsoft Entra application proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Microsoft Entra application proxy.  It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Microsoft Entra tenant name (-mstephendemo.msappproxy.net).
 
    ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
 
@@ -681,7 +687,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
 
 10. Select **Enroll**
 
-11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
+11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Microsoft Entra joined devices.
 
 ### Configure the Web Server Role
 
@@ -824,7 +830,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
+2. Select **All Services**.  Type **Microsoft Entra ID** to filter the list of services.  Under **SERVICES**, select **Microsoft Entra ID**.
 
 3. Select **Groups**.  Select **New group**.
 
@@ -836,7 +842,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 7. Select **Assigned** from the **Membership type** list.
 
-   ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
+   ![Microsoft Entra new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
 
 8. Select **Members**.  Use the  **Select members** pane to add members to this group. When finished, select **Select**.
 
@@ -889,7 +895,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
     ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
 
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+17. Under **SCEP Server URLs**, type the fully qualified external name of the Microsoft Entra application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Microsoft Entra application proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
 
 18. Select **Next**.
 
@@ -924,7 +930,7 @@ You have successfully completed the configuration.  Add users that need to enrol
 
 > [!div class="checklist"]
 > - Requirements
-> - Prepare Azure AD Connect
+> - Prepare Microsoft Entra Connect
 > - Prepare the Network Device Enrollment Services (NDES) Service Account
 > - Prepare Active Directory Certificate Authority
 > - Install and Configure the NDES Role
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index bcd910f606..e4c13dae5d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,21 +1,21 @@
 ---
-title: Configure single sign-on (SSO) for Azure AD joined devices
-description: Learn how to configure single sign-on to on-premises resources for Azure AD-joined devices, using Windows Hello for Business.
+title: Configure single sign-on (SSO) for Microsoft Entra joined devices
+description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
 ms.date: 12/30/2022
-ms.topic: article
+ms.topic: how-to
 ---
-# Configure single sign-on for Azure AD joined devices
+# Configure single sign-on for Microsoft Entra joined devices
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-keycert-trust-aad.md)]
 
-Windows Hello for Business combined with Azure AD-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Azure AD-joined devices using Windows Hello for Business, using a key or a certificate.
+Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 
 > [!NOTE]
 > These steps are not needed when using the cloud Kerberos trust model.
 
 ## Prerequisites
 
-Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices:
+Unlike Microsoft Entra hybrid joined devices, Microsoft Entra joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Microsoft Entra joined devices:
 
 > [!div class="checklist"]
 > - Certificate Revocation List (CRL) Distribution Point
@@ -29,9 +29,9 @@ During certificate validation, Windows compares the current certificate with inf
 
 ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
 
-The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure AD joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
+The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
 
-To resolve this issue, the CRL distribution point must be a location accessible by Azure AD joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
 
 If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first, in the list of distribution points.
 
@@ -40,11 +40,11 @@ If your CRL distribution point doesn't list an HTTP distribution point, then you
 
 ### Domain controller certificates
 
-Certificate authorities write CDP information in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CDP. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory.
+Certificate authorities write CDP information in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CDP. The domain controller certificate is one the critical components of Microsoft Entra joined devices authenticating to Active Directory.
 
 #### Why does Windows need to validate the domain controller certificate?
 
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
 
 - The domain controller has the private key for the certificate provided
 - The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities*
@@ -54,7 +54,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w
 - The domain controller's certificate's signature hash algorithm is **sha256**
 - The domain controller's certificate's public key is **RSA (2048 Bits)**
 
-Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
+Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
 
 ## Configure a CRL distribution point for an issuing CA
 
@@ -62,7 +62,7 @@ Use this set of procedures to update the CA that issues domain controller certif
 
 ### Configure Internet Information Services to host CRL distribution point
 
-You need to host your new certificate revocation list on a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
+You need to host your new certificate revocation list on a web server so Microsoft Entra joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
 
 > [!IMPORTANT]
 > Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. 
@@ -217,9 +217,11 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
     ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
 
-## Deploy the root CA certificate to Azure AD-joined devices
+<a name='deploy-the-root-ca-certificate-to-azure-ad-joined-devices'></a>
 
-The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails.
+## Deploy the root CA certificate to Microsoft Entra joined devices
+
+The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Microsoft Entra joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Microsoft Entra joined devices don't trust domain controller certificates and authentication fails.
 
 ### Export the enterprise root certificate
 
@@ -250,4 +252,4 @@ To configure devices with Microsoft Intune, use a custom policy:
 1. Under **Assignment**, select a security group that contains as members the devices or users that you want to configure > **Next**
 1. Review the policy configuration and select **Create**
 
-If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). Otherwise, you can sign in to an Azure AD joined device with Windows Hello for Business and test SSO to an on-premises resource.
+If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). Otherwise, you can sign in to a Microsoft Entra joined device with Windows Hello for Business and test SSO to an on-premises resource.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
index 662e259872..e3340a65c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
@@ -25,12 +25,12 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling
 [!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices.
+> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
 
 > [!IMPORTANT]
-> For Azure AD joined devices to authenticate to on-premises resources, ensure to:
+> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL
+> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
 [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
@@ -54,7 +54,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 1. Close the console
 
 > [!IMPORTANT]
-> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
 
 ## Configure and deploy certificates to domain controllers
 
@@ -82,4 +82,4 @@ Before moving to the next section, ensure the following steps are complete:
 > [Next: configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
 
 <!--links-->
-[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
\ No newline at end of file
+[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index eabb6ec24d..754b52a3a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -15,7 +15,7 @@ ms.topic: how-to
 
 [!INCLUDE [hello-hybrid-cert-trust](./includes/hello-hybrid-cert-trust.md)]
 
-Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
+Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
@@ -29,10 +29,10 @@ The following prerequisites must be met for a hybrid certificate trust deploymen
 
 > [!div class="checklist"]
 > * Directories and directory synchronization
-> * Federated authentication to Azure AD
+> * Federated authentication to Microsoft Entra ID
 > * Device registration
 > * Public Key Infrastructure
-> * Multi-factor authentication
+> * Multifactor authentication
 > * Device management
 
 ### Directories and directory synchronization
@@ -40,21 +40,23 @@ The following prerequisites must be met for a hybrid certificate trust deploymen
 Hybrid Windows Hello for Business needs two directories:
 
 - An on-premises Active Directory
-- An Azure Active Directory tenant with an Azure AD Premium subscription
+- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription
 
-The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.
-The hybrid-certificate trust deployment needs an *Azure Active Directory Premium* subscription because it uses the device write-back synchronization feature.
+The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.
+The hybrid-certificate trust deployment needs an *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature.
 
 > [!NOTE]
-> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.
+> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
 
 > [!IMPORTANT]
-> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Azure Active Directory and Active Directory.
+> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory.
 
-### Federated authentication to Azure AD
+<a name='federated-authentication-to-azure-ad'></a>
 
-Windows Hello for Business hybrid certificate trust doesn't support Azure AD *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
-Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Azure Active Directory using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
+### Federated authentication to Microsoft Entra ID
+
+Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\
+Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
 
 If you're new to AD FS and federation services:
 
@@ -69,18 +71,18 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016
 
 ### Device registration and device write-back
 
-Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\
-For hybrid Azure AD joined devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page.
+Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
+For Microsoft Entra hybrid joined devices, review the guidance on the [plan your Microsoft Entra hybrid join implementation][AZ-8] page.
 
-Refer to the [Configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about using Azure AD Connect Sync to configure Azure AD device registration.\
-For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide.
+Refer to the [Configure Microsoft Entra hybrid join for federated domains][AZ-10] guide to learn more about using Microsoft Entra Connect Sync to configure Microsoft Entra device registration.\
+For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Microsoft Entra device registration][AZ-11] guide.
 
 Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.
 
 > [!NOTE]
-> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
+> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
 
-If you manually configured AD FS, or if you ran Azure AD Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
+If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
 
 ### Public Key Infrastructure
 
@@ -89,16 +91,18 @@ The enterprise PKI and a certificate registration authority (CRA) are required t
 
 During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA.
 
-### Multi-factor authentication
+<a name='multi-factor-authentication'></a>
+
+### Multifactor authentication
 
 The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
 Hybrid deployments can use:
 
-- [Azure AD Multi-Factor Authentication][AZ-2]
-- A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
+- [Microsoft Entra multifactor authentication][AZ-2]
+- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
 
-For more information how to configure Azure AD Multi-Factor Authentication, see [Configure Azure AD Multi-Factor Authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multi-factor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
 
 ### Device management
 
@@ -113,7 +117,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure AD FS
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
-> * Configure single sign-on (SSO) for Azure AD joined devices
+> * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
 > [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-cert-trust-validate-pki.md)
@@ -135,4 +139,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 [SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
 [SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
 [SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2
-[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication
\ No newline at end of file
+[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 934a3f70de..0d5ed158f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -16,9 +16,9 @@ After the prerequisites are met and the PKI and AD FS configurations are validat
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
 > [!IMPORTANT]
-> The information in this section applies to hybrid Azure AD joined devices only.
+> The information in this section applies to Microsoft Entra hybrid joined devices only.
 
-For hybrid Azure AD joined devices, you can use group policies to configure Windows Hello for Business.
+For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
 It is suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign the **Group Policy** and **Certificate template permissions** to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
 
 ### Enable Windows Hello for Business group policy setting
@@ -95,11 +95,11 @@ Users (or devices) must receive the Windows Hello for Business group policy sett
 ## Configure Windows Hello for Business using Microsoft Intune
 
 > [!IMPORTANT]
-> The information in this section applies to Azure AD joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
-> - [Configure single sign-on for Azure AD joined devices](hello-hybrid-aadj-sso.md)
+> The information in this section applies to Microsoft Entra joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in:
+> - [Configure single sign-on for Microsoft Entra joined devices](hello-hybrid-aadj-sso.md)
 > - [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
 
-For Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
 
 There are different ways to enable and configure Windows Hello for Business in Intune:
 
@@ -163,19 +163,19 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
 1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
 1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
 
 :::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 > [!IMPORTANT]
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
 > 
-> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
+> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval. 
 > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Azure AD Connect sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
+> Read [Microsoft Entra Connect Sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 >
 > [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Microsoft Entra Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
 
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
index d1059a1570..7b4394d51f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -14,18 +14,20 @@ ms.topic: tutorial
 
 Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
 
-1. Set up Azure AD Kerberos.
+1. Set up Microsoft Entra Kerberos.
 1. Configure a Windows Hello for Business policy and deploy it to the devices.
 
-### Deploy Azure AD Kerberos
+<a name='deploy-azure-ad-kerberos'></a>
 
-If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
+### Deploy Microsoft Entra Kerberos
 
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
+If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section.
+
+If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID][AZ-2] documentation. This page includes information on how to install and use the Microsoft Entra Kerberos PowerShell module. Use the module to create a Microsoft Entra Kerberos server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
 
 ### Configure Windows Hello for Business policy
 
-After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
 #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
 
@@ -99,7 +101,7 @@ To configure the cloud Kerberos trust policy:
    - Value: **True**
 
     > [!IMPORTANT]
-    > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
+    > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Microsoft Entra tenant. See [How to find your Microsoft Entra tenant ID][AZ-3] for instructions on looking up your tenant ID.
 
     :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="images/hello-cloud-trust-intune.png" lightbox="images/hello-cloud-trust-intune-large.png":::
 
@@ -107,7 +109,7 @@ To configure the cloud Kerberos trust policy:
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
-Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
+Microsoft Entra hybrid joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
 
 The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.  
 
@@ -142,17 +144,17 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group
 
 ## Provision Windows Hello for Business
 
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy.
 
 You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
 This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
 :::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="images/cloud-trust-prereq-check.png" lightbox="images/cloud-trust-prereq-check.png":::
 
-The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Microsoft Entra joined.
 
 > [!NOTE]
-> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
+> The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
 
 ### PIN Setup
 
@@ -166,18 +168,18 @@ After a user signs in, this is the process that occurs to enroll in Windows Hell
 
 ### Sign-in
 
-Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
+Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
 
 ## Migrate from key trust deployment model to cloud Kerberos trust
 
 If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
 
-1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
+1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-azure-ad-kerberos).
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy).
-1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business.
+1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business.
 
 > [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
 
 ## Migrate from certificate trust deployment model to cloud Kerberos trust
 
@@ -193,7 +195,7 @@ If you deployed Windows Hello for Business using the certificate trust model, an
 1. Provision Windows Hello for Business using a method of your choice.
 
 > [!NOTE]
-> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
+> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
 
 ## Frequently Asked Questions
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index 23b6c288e5..464e918a1e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -16,34 +16,36 @@ Windows Hello for Business replaces password sign-in with strong authentication,
 
 The goal of Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [*passwordless security key sign-in*][AZ-1] to Windows Hello for Business, and it can be used for new or existing Windows Hello for Business deployments.
 
-Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
+Windows Hello for Business cloud Kerberos trust uses *Microsoft Entra Kerberos*, which enables a simpler deployment when compared to the *key trust model*:
 
 - No need to deploy a public key infrastructure (PKI) or to change an existing PKI
-- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
+- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory
 - [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup
 
 > [!NOTE]
 > Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
 
-## Azure AD Kerberos and cloud Kerberos trust authentication
+<a name='azure-ad-kerberos-and-cloud-kerberos-trust-authentication'></a>
+
+## Microsoft Entra Kerberos and cloud Kerberos trust authentication
 
 *Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
 
-Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
-With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
+Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs.\
+With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
 
-When Azure AD Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
+When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
 
 - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
-- Is only used by Azure AD to generate TGTs for the Active Directory domain
+- Is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain
 
   > [!NOTE]
   > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust.
 
-:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
+:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server ":::
 
-For more information about how Azure AD Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
-For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
+For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
+For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust).
 
 > [!IMPORTANT]
 > When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
@@ -52,10 +54,10 @@ For more information about how Azure AD Kerberos works with Windows Hello for Bu
 
 | Requirement | Notes |
 | --- | --- |
-| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
-| Windows 10, version 21H2 or Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
+| Multifactor authentication | This requirement can be met using [Microsoft Entra multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multifactor authentication provided through AD FS, or a comparable solution. |
+| Windows 10, version 21H2 or Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Microsoft Entra joined and Microsoft Entra hybrid joined devices. |
 | Windows Server 2016 or later Domain Controllers | If you're using Windows Server 2016, [KB3534307][SUP-1] must be installed. If you're using Server 2019, [KB4534321][SUP-2] must be installed. |
-| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
+| Microsoft Entra Kerberos PowerShell module | This module is used for enabling and managing Microsoft Entra Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
 | Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
 
 ### Unsupported scenarios
@@ -65,19 +67,19 @@ The following scenarios aren't supported using Windows Hello for Business cloud
 - On-premises only deployments
 - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
 - Using cloud Kerberos trust for "Run as"
-- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
+- Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity
 
 > [!NOTE]
 > The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
 >
-> Due to possible attack vectors from Azure AD to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
+> Due to possible attack vectors from Microsoft Entra ID to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
 
 ## Next steps
 
 Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps:
 
 > [!div class="checklist"]
-> * Deploy Azure AD Kerberos
+> * Deploy Microsoft Entra Kerberos
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
index 7c2d96a0d1..dc8d3d3a24 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
@@ -15,7 +15,7 @@ After the prerequisites are met and the PKI configuration is validated, Windows
 
 ## Configure Windows Hello for Business using Microsoft Intune
 
-For Azure AD joined devices and hybrid Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
+For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business.
 
 There are different ways to enable and configure Windows Hello for Business in Intune:
 
@@ -66,7 +66,7 @@ To configure Windows Hello for Business using an *account protection* policy:
 
 ## Configure Windows Hello for Business using group policies
 
-For hybrid Azure AD joined devices, you can use group policies to configure Windows Hello for Business.
+For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business.
 It's suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users to the group.
 
 The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
@@ -144,14 +144,14 @@ The following process occurs after a user signs in, to enroll in Windows Hello f
 1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
 1. The enrollment flow proceeds to the multi-factor authentication phase. The process informs the user that there's an MFA contact attempt, using the configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
 1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
-1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory
+1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory
 
 :::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 > [!IMPORTANT]
-> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
+> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval.
 > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Azure AD Connect sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization.
+> Read [Microsoft Entra Connect Sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization.
 
 <!--links-->
 [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
index c4248ffb62..f39545b8e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@@ -16,7 +16,7 @@ ms.topic: tutorial
 
 Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
 
-Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Azure AD Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
+Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`).
 
 A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1].
 
@@ -49,12 +49,12 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
 [!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)]
 
 > [!NOTE]
-> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices.
+> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.
 
 > [!IMPORTANT]
-> For Azure AD joined devices to authenticate to on-premises resources, ensure to:
+> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to:
 > - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune
-> - Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL
+> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL
 
 [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)]
 
@@ -74,7 +74,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
 1. Close the console
 
 > [!IMPORTANT]
-> If you plan to deploy **Azure AD joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
+> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](hello-hybrid-aadj-sso.md).
 
 ## Configure and deploy certificates to domain controllers
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 8ab43e5406..d9716ad230 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -14,7 +14,7 @@ ms.topic: how-to
 
 [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-key-trust.md)]
 
-Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
+Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources.
 
 This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario.
 
@@ -29,10 +29,10 @@ The following prerequisites must be met for a hybrid key trust deployment:
 
 > [!div class="checklist"]
 > * Directories and directory synchronization
-> * Authentication to Azure AD
+> * Authentication to Microsoft Entra ID
 > * Device registration
 > * Public Key Infrastructure
-> * Multi-factor authentication
+> * Multifactor authentication
 > * Device management
 
 ### Directories and directory synchronization
@@ -40,40 +40,44 @@ The following prerequisites must be met for a hybrid key trust deployment:
 Hybrid Windows Hello for Business needs two directories:
 
 - An on-premises Active Directory
-- An Azure Active Directory tenant
+- A Microsoft Entra tenant
 
-The two directories must be synchronized with [Azure AD Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\
-During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Azure AD. *Azure AD Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
+The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\
+During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
 
 > [!NOTE]
-> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Azure AD.
+> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID.
 
-### Authentication to Azure AD
+<a name='authentication-to-azure-ad'></a>
 
-Authentication to Azure AD can be configured with or without federation:
+### Authentication to Microsoft Entra ID
 
-- [Password hash synchronization][AZ-6] or [Azure Active Directory pass-through-authentication][AZ-7] is required for non-federated environments
+Authentication to Microsoft Entra ID can be configured with or without federation:
+
+- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments
 - Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments
 
 ### Device registration
 
-The Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\
-For *hybrid Azure AD joined* devices, review the guidance on the [Plan your hybrid Azure Active Directory join implementation][AZ-8] page.
+The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\
+For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page.
 
 ### Public Key Infrastructure
 
 An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them.
 
-### Multi-factor authentication
+<a name='multi-factor-authentication'></a>
+
+### Multifactor authentication
 
 The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\
 Hybrid deployments can use:
 
-- [Azure AD Multi-Factor Authentication][AZ-2]
-- A multi-factor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
+- [Microsoft Entra multifactor authentication][AZ-2]
+- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS
 
-For more information how to configure Azure AD Multi-Factor Authentication, see [Configure Azure AD Multi-Factor Authentication settings][AZ-3].\
-For more information how to configure AD FS to provide multi-factor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
+For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\
+For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1].
 
 ### Device management
 
@@ -87,7 +91,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 > * Configure and validate the PKI
 > * Configure Windows Hello for Business settings
 > * Provision Windows Hello for Business on Windows clients
-> * Configure single sign-on (SSO) for Azure AD joined devices
+> * Configure single sign-on (SSO) for Microsoft Entra joined devices
 
 > [!div class="nextstepaction"]
 > [Next: configure and validate the Public Key Infrastructure >](hello-hybrid-key-trust-validate-pki.md)
@@ -102,4 +106,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
 [AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
 [AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
 
-[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
\ No newline at end of file
+[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 510a0584ba..ea4c5a3119 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 07/05/2023
+ms.date: 10/09/2023
 title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.topic: overview
@@ -17,12 +17,14 @@ appliesto:
 
 This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
 
-## Azure AD Cloud Only Deployment
+<a name='azure-ad-cloud-only-deployment'></a>
 
-- Azure Active Directory
-- Azure AD Multifactor Authentication
+## Microsoft Entra Cloud Only Deployment
+
+- Microsoft Entra ID
+- Microsoft Entra multifactor authentication
 - Device management solution (Intune or supported third-party MDM), *optional*
-- Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
+- Microsoft Entra ID P1 or P2 subscription - *optional*, needed for automatic MDM enrollment when the device joins Microsoft Entra ID
 
 ## Hybrid Deployments
 
@@ -37,19 +39,19 @@ The table shows the minimum requirements for each deployment. For key trust in a
 | **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
 | **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions |
 | **MFA Requirement** | Azure MFA, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or<br/>AD FS w/Azure MFA adapter, or<br/>AD FS w/Azure MFA Server adapter, or<br/>AD FS w/3rd Party MFA Adapter |
-| **Azure AD Connect** | Not required | Required | Required | Required |
-| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
+| **Microsoft Entra Connect** | Not required. It's recommended to use [Microsoft Entra Connect cloud sync](/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync) | Required | Required | Required |
+| **Microsoft Entra ID license** | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, needed for device write-back | Microsoft Entra ID P1 or P2, optional. Intune license required |
 
 ## On-premises Deployments
 
 The table shows the minimum requirements for each deployment.
 
-| Key trust <br/> Group Policy managed | Certificate trust <br/> Group Policy managed|
-| --- | --- |
-|Any supported Windows client versions|Any supported Windows client versions|
-| Windows Server 2016 Schema | Windows Server 2016 Schema|
-| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| Any supported Windows Server versions  | Any supported Windows Server versions |
-| Any supported Windows Server versions  | Any supported Windows Server versions  |
-| Any supported Windows Server versions  | Any supported Windows Server versions  |
-| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
\ No newline at end of file
+| Requirement | Key trust <br/> Group Policy managed | Certificate trust <br/> Group Policy managed|
+| --- | --- | ---|
+| **Windows Version** | Any supported Windows client versions|Any supported Windows client versions|
+| **Schema Version**| Windows Server 2016 Schema | Windows Server 2016 Schema|
+| **Domain and Forest Functional Level**| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
+| **Domain Controller Version**| Any supported Windows Server versions  | Any supported Windows Server versions |
+| **Certificate Authority**| Any supported Windows Server versions  | Any supported Windows Server versions  |
+| **AD FS Version**| Any supported Windows Server versions  | Any supported Windows Server versions  |
+| **MFA Requirement**| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index be437d043f..cf93d23831 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 title: Prepare and deploy Active Directory Federation Services in an on-premises key trust
 description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model.
 appliesto: 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 3fd25ec607..ed52f1c594 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 title: Configure Windows Hello for Business Policy settings in an on-premises key trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
 appliesto: 
@@ -20,7 +20,7 @@ If you configure the Group Policy for computers, all users that sign-in to those
 
 The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
 
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business .
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
 
 ## Create the GPO
 
@@ -105,4 +105,4 @@ Before you continue with the deployment, validate your deployment progress by re
 
 ## Add users to the Windows Hello for Business Users group
 
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
\ No newline at end of file
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 19fe709d3f..2537513f37 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,7 +1,7 @@
 ---
 title: Validate Active Directory prerequisites in an on-premises key trust
 description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 4d089851ff..52c64523e9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,7 +1,7 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with key trust
-description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
-ms.date: 12/12/2022
+description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -11,22 +11,22 @@ appliesto:
 ms.topic: tutorial
 ---
 
-# Validate and deploy multi-factor authentication - on-premises key trust
+# Validate and deploy multifactor authentication - on-premises key trust
 
 [!INCLUDE [hello-on-premises-key-trust](./includes/hello-on-premises-key-trust.md)]
 
-Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
+Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
 
 - certificates
 - third-party authentication providers for AD FS
 - custom authentication provider for AD FS
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
 
 For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
 
-Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
 
 > [!div class="nextstepaction"]
-> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
+> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index e2f7510aac..ab932d9a99 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,7 +1,7 @@
 ---
 title: Configure and validate the Public Key Infrastructure in an on-premises key trust model
 description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
-ms.date: 12/12/2022
+ms.date: 09/07/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 576ffdb0a4..999b35f45b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -4,8 +4,8 @@ description: Learn how to create a Group Policy or mobile device management (MDM
 ms.collection: 
   - highpri
   - tier1
-ms.date: 2/15/2022
-ms.topic: article
+ms.date: 9/25/2023
+ms.topic: reference
 ---
 
 # Manage Windows Hello for Business in your organization
@@ -13,37 +13,37 @@ ms.topic: article
 You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices.
 
 >[!IMPORTANT]
->Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>Windows Hello as a convenience PIN is disabled by default on all domain joined and Microsoft Entra joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
 >
 >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
 
 ## Group Policy settings for Windows Hello for Business
 
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies > Administrative Templates > Windows Components > Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
 
 > [!NOTE]
 > The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**.
 
 |Policy|Scope|Options|
 |--- |--- |--- |
-|Use Windows Hello for Business|Computer or user|<p><b>Not configured</b>: Device doesn't provision Windows Hello for Business for any user.<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.<p><b>Disabled</b>: Device doesn't provision Windows Hello for Business for any user.|
-|Use a hardware security device|Computer|<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|Use certificate for on-premises authentication|Computer or user|<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
-|Use PIN recovery|Computer|<p>Added in Windows 10, version 1703<p><b>Not configured</b>: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<p><b>Disabled</b>: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.<p>For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
-|Use biometrics|Computer|<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.<p><b>Disabled</b>: Only a PIN can be used as a gesture.|
+|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user.<br>- **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.<br>- **Disabled**: Device doesn't provision Windows Hello for Business for any user.|
+|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.<br>- **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<br>- **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
+|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.<br>- **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<br>- **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
+|Use PIN recovery|Computer|- Added in Windows 10, version 1703<br>- **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service<br>- **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<br>- **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.<br>- For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN<br>- **Enabled**: Biometrics can be used as a gesture in place of a PIN.<br>- **Disabled**: Only a PIN can be used as a gesture.|
 
 ### PIN Complexity
 
 |Policy|Scope|Options|
 |--- |--- |--- |
-|Require digits|Computer|<p><b>Not configured</b>: Users must include a digit in their PIN.<p><b>Enabled</b>: Users must include a digit in their PIN.<p><b>Disabled</b>: Users can't use digits in their PIN.|
-|Require lowercase letters|Computer|<p><b>Not configured</b>: Users can't use lowercase letters in their PIN<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.<p><b>Disabled</b>: Users can't use lowercase letters in their PIN.|
-|Maximum PIN length|Computer|<p><b>Not configured</b>: PIN length must be less than or equal to 127.<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be less than or equal to 127.|
-|Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.|
-|Expiration|Computer|<p><b>Not configured</b>: PIN doesn't expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN doesn't expire.|
-|History|Computer|<p><b>Not configured</b>: Previous PINs aren't stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs aren't stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>|
-|Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but doesn't require, special characters in the PIN.<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows doesn't allow the user to include special characters in their PIN.|
-|Require uppercase letters|Computer|<p><b>Not configured</b>: Users can't include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users can't include an uppercase letter in their PIN.|
+|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN.<br>- **Enabled**: Users must include a digit in their PIN.<br>- **Disabled**: Users can't use digits in their PIN.|
+|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN<br>- **Enabled**: Users must include at least one lowercase letter in their PIN.<br>- **Disabled**: Users can't use lowercase letters in their PIN.|
+|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.<br>- **Enabled**: PIN length must be less than or equal to the number you specify.<br>- **Disabled**: PIN length must be less than or equal to 127.|
+|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater  than or equal to 4.<br>- **Enabled**: PIN length must be greater than or equal to the number you specify.<br>- **Disabled**: PIN length must be greater  than or equal to 4.|
+|Expiration|Computer|- **Not configured**: PIN doesn't expire.<br>- **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<br>- **Disabled**: PIN doesn't expire.|
+|History|Computer|- **Not configured**: Previous PINs aren't stored.<br>- **Enabled**: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<br>- **Disabled**: Previous PINs aren't stored.<br>**Note** Current PIN is included in PIN history.
+|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.<br>- **Enabled**: Windows requires the user to include at least one special character in their PIN.<br>- **Disabled**: Windows doesn't allow the user to include special characters in their PIN.|
+|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.<br>- **Enabled**: Users must include at least one uppercase letter in their PIN.<br>- **Disabled**: Users can't include an uppercase letter in their PIN.|
 
 ### Phone Sign-in
 
@@ -56,34 +56,34 @@ The following table lists the Group Policy settings that you can configure for W
 The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp).
 
 >[!IMPORTANT]
->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
 
 |Policy|Scope|Default|Options|
 |--- |--- |--- |--- |
-|UsePassportForWork|Device or user|True|<p>True: Windows Hello for Business will be provisioned for all users on the device.<p>False: Users won't be able to provision Windows Hello for Business. <div class="alert"> **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices</div>|
-|RequireSecurityDevice|Device or user|False|<p>True: Windows Hello for Business will only be provisioned using TPM.<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
-|ExcludeSecurityDevice<p>TPM12|Device|False|Added in Windows 10, version 1703<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
-|EnablePinRecovery|Device or use|False|<p>Added in Windows 10, version 1703<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<p>False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device.<br>- False: Users won't be able to provision Windows Hello for Business. <br>**Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices|
+|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.<br>- False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.|
+|ExcludeSecurityDevice<br>- TPM12|Device|False|Added in Windows 10, version 1703<br>- True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<br>- False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
+|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703<br>- True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<br>- False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
 
 ### Biometrics
 
 |Policy|Scope|Default|Options|
 |--- |--- |--- |--- |
-|UseBiometrics|Device |False|<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<p>False: Only a PIN can be used as a gesture for domain sign-in.|
-|<p>FacialFeaturesUser<p>EnhancedAntiSpoofing|Device|Not configured|<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.<p>True: Enhanced anti-spoofing is required on devices which support it.<p>False: Users can't turn on enhanced anti-spoofing.|
+|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<br>- False: Only a PIN can be used as a gesture for domain sign-in.|
+|- FacialFeaturesUser<br>-&nbsp;EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.<br>- True: Enhanced anti-spoofing is required on devices which support it.<br>- False: Users can't turn on enhanced anti-spoofing.|
 
 ### PINComplexity
 
 |Policy|Scope|Default|Options|
 |--- |--- |--- |--- |
-|Digits |Device or user|1 |<p>0: Digits are allowed. <p>1: At least one digit is required.<p>2: Digits aren't allowed.|
-|Lowercase letters |Device or user|2|<p>0: Lowercase letters are allowed. <p>1: At least one lowercase letter is required.<p>2: Lowercase letters aren't allowed.|
-|Special characters|Device or user|2|<p>0: Special characters are allowed. <p>1: At least one special character is required. <p>2: Special characters aren't allowed.|
-|Uppercase letters|Device or user|2|<p>0: Uppercase letters are allowed. <p>1: At least one uppercase letter is required.<p>2: Uppercase letters aren't allowed.|
-|Maximum PIN length |Device or user|127 |<p>Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
-|Minimum PIN length|Device or user|6|<p>Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
-|Expiration |Device or user|0|<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
-|History|Device or user|0|<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
+|Digits |Device or user|1 |- 0: Digits are allowed. <br>- 1: At least one digit is required.<br>- 2: Digits aren't allowed.|
+|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed. <br>- 1: At least one lowercase letter is required.<br>- 2: Lowercase letters aren't allowed.|
+|Special characters|Device or user|2|- 0: Special characters are allowed. <br>- 1: At least one special character is required. <br>- 2: Special characters aren't allowed.|
+|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed. <br>- 1: At least one uppercase letter is required.<br>- 2: Uppercase letters aren't allowed.|
+|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.|
+|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.|
+|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
+|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.|
 
 ### Remote
 
@@ -92,42 +92,15 @@ The following table lists the MDM policy settings that you can configure for Win
 |UseRemotePassport|Device or user|False|Not currently supported.|
 
 >[!NOTE]
-> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
+> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN.
 
 ## Policy conflicts from multiple policy sources
 
-Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
+Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared.
 
-Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. 
+> [!IMPORTANT]
+> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.
 
-Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source.
+## Policy precedence
 
-All PIN complexity policies are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis.  
-
->[!NOTE]
-> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
->
-><b>Examples</b>
->
->The following are configured using computer Group Policy:
->
->- Use Windows Hello for Business - Enabled
->- User certificate for on-premises authentication - Enabled
->
->The following are configured using device MDM Policy:
->
->- UsePassportForWork - Disabled
->- UseCertificateForOnPremAuth - Disabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
->
->Enforced policy set:
->
->- Use Windows Hello for Business - Enabled
->- Use certificate for on-premises authentication - Enabled
->- MinimumPINLength - 8
->- Digits - 1
->- LowercaseLetters - 1
->- SpecialCharacters - 1
\ No newline at end of file
+Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 3363f0ae55..e12ac5c2e7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -2,11 +2,11 @@
 title: Planning a Windows Hello for Business Deployment
 description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
 ms.date: 09/16/2020
-ms.topic: article
+ms.topic: overview
 ---
 # Planning a Windows Hello for Business Deployment
 
-Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
+Congratulations! You're taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
 
 This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
 
@@ -15,7 +15,7 @@ This guide explains the role of each component within Windows Hello for Business
 
 ## Using this guide
 
-There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
+There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
 
 This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
 
@@ -52,9 +52,9 @@ The cloud only deployment model is for organizations who only have cloud identit
 
 The hybrid deployment model is for organizations that: 
 
-- Are federated with Azure Active Directory
-- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
-- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+- Are federated with Microsoft Entra ID
+- Have identities synchronized to Microsoft Entra ID using Microsoft Entra Connect
+- Use applications hosted in Microsoft Entra ID, and want a single sign-in user experience for both on-premises and Microsoft Entra resources
 
 > [!Important]
 > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
@@ -64,7 +64,7 @@ The hybrid deployment model is for organizations that:
 > - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
 
 ##### On-premises
-The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory.
+The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Microsoft Entra ID.
 
 > [!Important]
 > On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
@@ -81,44 +81,44 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](hello-hybrid-cloud-kerberos-trust.md).
 
-The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
 The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
 
 > [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md).
 
 #### Device registration
 
-All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
+All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Microsoft Entra ID.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
 
 #### Key registration
 
-The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user's public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user's public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Microsoft Entra ID.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
 
 #### Multifactor authentication
 
 > [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure AD Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multifactor authentication for their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
 
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a with strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
-Cloud only and hybrid deployments provide many choices for multi-factor authentication.  On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure AD Multi-Factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-Factor Authentication Server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
 > [!NOTE]
-> Azure AD Multi-Factor Authentication is available through:
+> Microsoft Entra multifactor authentication is available through:
 > * Microsoft Enterprise Agreement
 > * Open Volume License Program
 > * Cloud Solution Providers program
 > * Bundled with
->    * Azure Active Directory Premium
+>    * Microsoft Entra ID P1 or P2
 >    * Enterprise Mobility Suite
 >    * Enterprise Cloud Suite
 
 #### Directory synchronization
 
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials between itself and Microsoft Entra ID. This helps enable single sign-on to Microsoft Entra ID and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
 
 ### Management
 
@@ -136,7 +136,7 @@ Modern management is an emerging device management paradigm that leverages the c
 
 Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
 
-Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update.  The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
+Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update.  The client requirement might change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices might require a minimum client running Windows 10, version 1703, also known as the Creators Update.
 
 
 ### Active Directory
@@ -145,11 +145,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
 
 ### Public Key Infrastructure
 
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources.
 
 ### Cloud
 
-Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
+Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities.  These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
 
 ## Planning a Deployment
 
@@ -173,13 +173,13 @@ If your organization does not have cloud resources, write **On-Premises** in box
 
 ### Trust type
 
-Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
 
 Choose a trust type that is best suited for your organizations.  Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
 
 One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust).  
 
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect.
 
 If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
 
@@ -203,17 +203,17 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS**
 
 ### Directory Synchronization
 
-Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multi-factor authentication during provisioning or writing the user's public key.
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multifactor authentication during provisioning or writing the user's public key.
 
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Microsoft Entra ID and there is not another directory with which the information must be synchronized.
 
-If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
+If box **1a** on your planning worksheet reads **hybrid**, then write **Microsoft Entra Connect** in box **1e** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user's credentials remain on the on-premises network.
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user's credentials remain on the on-premises network.
 
-### Multifactor Authentication
+### Multifactor authentication
 
-The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multi-factor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
+The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
 
 If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service.  Write **Azure MFA** in box **1f** on your planning worksheet.
 
@@ -225,7 +225,7 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o
 
 You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
 
-If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
+If your Microsoft Entra Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Microsoft Entra Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Microsoft Entra ID and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
 
 You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
 
@@ -241,10 +241,10 @@ If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with
 
 Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users.  The type of policy management you can use depends on your selected deployment and trust models.
 
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet.  You have the option to manage non-domain joined devices.  If you choose to manage Azure Active Directory-joined devices, write **modern management** in box **2b** on your planning worksheet.  Otherwise, write** N/A** in box **2b**.
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet.  You have the option to manage non-domain joined devices.  If you choose to manage Microsoft Entra joined devices, write **modern management** in box **2b** on your planning worksheet.  Otherwise, write** N/A** in box **2b**.
 
 > [!NOTE]
-> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
 
 If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
 
@@ -260,7 +260,7 @@ Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11.
 
 If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet.  Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
 > [!NOTE]
-> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
 
 Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. 
 * Box **2a** on your planning worksheet read **modern management**. 
@@ -288,7 +288,7 @@ If box **1a** on your planning worksheet reads **cloud only**, ignore the public
 
 If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section.
 
-The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices.  Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. 
+The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices.  Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. 
 
 If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet.  In box **5c**, write the following certificate templates names and issuances:
 
@@ -323,18 +323,18 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri
 
 If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
 
-Windows Hello for Business does not require an Azure AD premium subscription.  However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
+Windows Hello for Business does not require a Microsoft Entra ID P1 or P2 subscription.  However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
 
 If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-licensing).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults. Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing).
 
-If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
+If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature.
 
-Modern managed devices do not require an Azure AD premium subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
+Modern managed devices do not require a Microsoft Entra ID P1 or P2 subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
 
 If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet.  Otherwise, write **No** in box **6c**.
 
 ## Congratulations, You're Done
 
-Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
+Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they're used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index fc9083049d..87cd5f6ea5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -2,7 +2,7 @@
 title: Prepare people to use Windows Hello 
 description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
 ms.date: 08/19/2018
-ms.topic: article
+ms.topic: end-user-help
 ---
 # Prepare people to use Windows Hello
 
@@ -10,7 +10,7 @@ When you set a policy to require Windows Hello for Business in the workplace, yo
 
 After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
 
-Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
+Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello.
 
 People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
 
@@ -52,4 +52,3 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 0963b04163..24b362c125 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,8 +1,8 @@
 ---
 title: Windows Hello for Business Videos
 description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.date: 03/09/2023
-ms.topic: article
+ms.date: 09/07/2023
+ms.topic: get-started
 ---
 # Windows Hello for Business Videos
 ## Overview of Windows Hello for Business and Features
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png
rename to windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg
@@ -0,0 +1,11 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0H18.1835C19.1859 0 20 0.814095 20 1.81653V18.1835C20 19.1859 19.1859 20 18.1835 20H1.81653C0.814095 20 0 19.1859 0 18.1835V1.81653C0 0.814095 0.814095 0 1.81653 0Z" fill="#605E5C"/>
+<g clip-path="url(#clip0_111_2097)">
+<path d="M11.027 8.93146C10.9795 9.21812 11.061 9.51843 11.2714 9.73002L14.4419 12.9174C14.5641 13.0403 14.6252 13.1973 14.6252 13.3679V14.4736C14.6252 14.5418 14.5709 14.6033 14.4962 14.6033H13.2267C13.1588 14.6033 13.0977 14.5487 13.0977 14.4736V13.7092C13.0977 13.3542 12.8125 13.0676 12.4595 13.0676H11.5702V12.1735C11.5702 11.8186 11.285 11.5319 10.932 11.5319H10.0426V11.1497C10.0426 11.02 9.98153 10.904 9.8729 10.8289C9.76428 10.7606 9.6285 10.747 9.51309 10.7948C9.19401 10.9313 8.84098 11.02 8.49474 11.02C7.08263 11.02 5.9285 9.86652 5.9285 8.44004C5.9285 7.01355 7.06905 5.91468 8.49474 5.91468C9.92043 5.91468 11.061 7.06815 11.061 8.49464C11.061 8.63115 11.0406 8.76765 11.0135 8.92463L11.027 8.93146ZM5.17493 8.45369C5.17493 10.2965 6.6685 11.7981 8.50153 11.7981C8.77309 11.7981 9.03786 11.7571 9.28905 11.6957C9.30263 12.037 9.58098 12.31 9.92043 12.31H10.8098V13.2041C10.8098 13.559 11.0949 13.8457 11.4479 13.8457H12.3373V14.4872C12.3373 14.9787 12.7379 15.3814 13.2267 15.3814H14.4962C14.985 15.3814 15.3856 14.9787 15.3856 14.4872V13.3815C15.3856 13.0062 15.2362 12.6512 14.9782 12.3919L11.8078 9.20447C11.8078 9.20447 11.7602 9.12939 11.7738 9.08162C11.8078 8.90416 11.8281 8.71305 11.8281 8.51512C11.8281 6.65864 10.3413 5.15707 8.50153 5.15707C6.66171 5.15707 5.17493 6.59721 5.17493 8.45369ZM7.74116 7.04768C8.09419 7.04768 8.37933 7.33434 8.37933 7.68926C8.37933 8.04417 8.09419 8.33083 7.74116 8.33083C7.38814 8.33083 7.103 8.04417 7.103 7.68926C7.103 7.33434 7.38814 7.04768 7.74116 7.04768Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_111_2097">
+<rect width="10.2106" height="10.2106" fill="white" transform="translate(5.17493 5.15707)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif
index 2ef07cd63c..d8aba4d740 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset.gif differ
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
index a9b2685f07..17dc33d7c4 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-cloud.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Azure AD-only identities. Device management is usually done via Intune/MDM")
\ No newline at end of file
+[cloud :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
index b6ba025722..a67cb2cf2b 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Azure AD. Device management is usually done via Group Policy or Intune/MDM")
\ No newline at end of file
+[hybrid :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
index 5426da4561..c33f3da2de 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-deployment-onpremises.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy")
\ No newline at end of file
+[on-premises :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
index 82f5f99a23..29b890c78b 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-aad.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[Azure AD join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Azure AD joined do not have any dependencies on Active Directory. Only local users accounts and Azure AD users can sign in to these devices")
\ No newline at end of file
+[Microsoft Entra join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices")
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
index ba8b5df65a..80f9992cb8 100644
--- a/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
+++ b/windows/security/identity-protection/hello-for-business/includes/hello-join-hybrid.md
@@ -3,4 +3,4 @@ ms.date: 12/08/2022
 ms.topic: include
 ---
 
-[hybrid Azure AD join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources")
\ No newline at end of file
+[Microsoft Entra hybrid join :::image type="icon" source="../../../images/icons/information.svg" border="false":::](../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources")
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index 84acf6b19c..953074993d 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -4,7 +4,7 @@ description: Learn how Windows Hello for Business replaces passwords with strong
 ms.collection: 
   - highpri
   - tier1
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 04/24/2023
 ---
 # Windows Hello for Business Overview
@@ -25,7 +25,7 @@ Windows Hello lets users authenticate to:
 
 - A Microsoft account.
 - An Active Directory account.
-- A Microsoft Azure Active Directory (Azure AD) account.
+- A Microsoft Entra account.
 - Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.
 
 After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
@@ -71,7 +71,7 @@ Windows Hello helps protect user identities and user credentials. Because the us
 
 - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
 
-- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Azure AD, or a Microsoft account.
+- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account.
 
 - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
 
@@ -81,7 +81,7 @@ Windows Hello helps protect user identities and user credentials. Because the us
 
 - PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
 
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+- Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
 
 - Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
 
@@ -89,9 +89,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
 
 ## Comparing key-based and certificate-based authentication
 
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Microsoft Entra ID as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
 
-Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md).
 
 ## Learn more
 
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 9dafd8be5b..a66a69f90c 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -13,11 +13,11 @@ This article describes Windows' password-less strategy and how Windows Hello for
 
 Over the past few years, Microsoft has continued their commitment to enabling a world without passwords.
 
-:::image type="content" source="images/passwordless/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
+:::image type="content" source="images/passwordless-strategy/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
 
 ### 1. Develop a password replacement offering
 
-Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
+Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory.
 
 Deploying Windows Hello for Business is the first step towards a password-less environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
 
@@ -147,7 +147,7 @@ After successfully moving a work persona to password freedom, you can prioritize
 
 ### Password-less replacement offering (step 1)
 
-The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
+The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Microsoft Entra ID and Active Directory.
 
 #### Identify test users that represent the targeted work persona
 
@@ -160,7 +160,7 @@ Next, you'll want to plan your Windows Hello for Business deployment. Your test
 With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
 
 > [!NOTE]
-> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
+> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Microsoft Entra ID. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
 
 #### Validate that passwords and Windows Hello for Business work
 
@@ -206,7 +206,7 @@ Start mitigating password usages based on the workflows of your targeted persona
 
 Mitigating password usage with applications is one of the more challenging obstacles in the password-less journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
 
-The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
+The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
 
 Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
 
@@ -224,17 +224,17 @@ Windows provides two ways to prevent your users from using passwords. You can us
 
 You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**.  The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
 
-:::image type="content" source="images/passwordless/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
 
 **Windows Server 2016 and earlier**
 The policy name for these operating systems is **Interactive logon: Require smart card**.
 
-:::image type="content" source="images/passwordless/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
 
 **Windows 10, version 1703 or later using Remote Server Administrator Tools**
 The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
 
-:::image type="content" source="images/passwordless/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
+:::image type="content" source="images/passwordless-strategy/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
 
 When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
 
@@ -242,11 +242,11 @@ When you enable this security policy setting, Windows prevents users from signin
 
 You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
 
-:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
 
 The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
 
-:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
+:::image type="content" source="images/passwordless-strategy/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
 
 Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
 
@@ -296,7 +296,7 @@ The account options on a user account include the option **Smart card is require
 
 The following image shows the SCRIL setting for a user in Active Directory Users and Computers:
 
-:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
+:::image type="content" source="images/passwordless-strategy/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
 
 When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
 
@@ -307,7 +307,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
 
 The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012:
 
-:::image type="content" source="images/passwordless/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
 
 > [!NOTE]
 > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration:
@@ -317,11 +317,11 @@ The following image shows the SCRIL setting for a user in Active Directory Admin
 > 1. Enable the setting.
 > 1. Save changes again.
 >
-> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you.
+> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you.
 
 The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
 
-:::image type="content" source="images/passwordless/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
 
 > [!TIP]
 > Windows Hello for Business was formerly known as Microsoft Passport.
@@ -332,8 +332,7 @@ Domains configured for Windows Server 2016 or later domain functional level can
 
 In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
 
-:::image type="content" source="images/passwordless/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
+:::image type="content" source="images/passwordless-strategy/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
 
 > [!NOTE]
 > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
-
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index ad2fc7674a..ee0f2774a8 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -4,8 +4,6 @@ items:
 - name: Concepts
   expanded: true
   items:
-  - name: Passwordless strategy
-    href: passwordless-strategy.md
   - name: Why a PIN is better than a password
     href: hello-why-pin-is-better-than-password.md
   - name: Windows Hello biometrics in the enterprise
@@ -43,7 +41,7 @@ items:
       - name: Configure and provision Windows Hello for Business
         href: hello-hybrid-key-trust-provision.md
         displayName: key trust
-      - name: Configure SSO for Azure AD joined devices
+      - name: Configure SSO for Microsoft Entra joined devices
         href: hello-hybrid-aadj-sso.md
         displayName: key trust
     - name: Certificate trust deployment
@@ -60,10 +58,10 @@ items:
       - name: Configure and provision Windows Hello for Business
         href: hello-hybrid-cert-whfb-provision.md
         displayName: certificate trust
-      - name: Configure SSO for Azure AD joined devices
+      - name: Configure SSO for Microsoft Entra joined devices
         href: hello-hybrid-aadj-sso.md
         displayName: certificate trust
-      - name: Deploy certificates to Azure AD joined devices
+      - name: Deploy certificates to Microsoft Entra joined devices
         href: hello-hybrid-aadj-sso-cert.md
         displayName: certificate trust
   - name: On-premises deployments
@@ -112,6 +110,8 @@ items:
   items:
   - name: PIN reset
     href: hello-feature-pin-reset.md
+  - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗
+    href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
   - name: Dual enrollment
     href: hello-feature-dual-enrollment.md  
   - name: Dynamic Lock
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index 7646115753..1eb2da9944 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -2,7 +2,7 @@
 title: WebAuthn APIs
 description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
 ms.date: 07/27/2023
-ms.topic: article
+ms.topic: how-to
 ---
 # WebAuthn APIs for passwordless authentication on Windows
 <!--MAXADO-6021798-->
diff --git a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png
deleted file mode 100644
index f7767ac5f0..0000000000
Binary files a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard-gp.png b/windows/security/identity-protection/images/remote-credential-guard-gp.png
deleted file mode 100644
index f7db3ee411..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard-gp.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard.gif b/windows/security/identity-protection/images/remote-credential-guard.gif
new file mode 100644
index 0000000000..effe8a4bc2
Binary files /dev/null and b/windows/security/identity-protection/images/remote-credential-guard.gif differ
diff --git a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png
deleted file mode 100644
index 56021d820e..0000000000
Binary files a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png and /dev/null differ
diff --git a/windows/security/identity-protection/passkeys/images/delete-passkey.png b/windows/security/identity-protection/passkeys/images/delete-passkey.png
new file mode 100644
index 0000000000..1363d8db62
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/delete-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save-qr.png b/windows/security/identity-protection/passkeys/images/device-save-qr.png
new file mode 100644
index 0000000000..e551a1e528
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save-qr.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-save.png b/windows/security/identity-protection/passkeys/images/device-save.png
new file mode 100644
index 0000000000..240b3a9695
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/device-use.png b/windows/security/identity-protection/passkeys/images/device-use.png
new file mode 100644
index 0000000000..5aa3daea3d
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save-confirm.png b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png
new file mode 100644
index 0000000000..b9fdda9002
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-save.png b/windows/security/identity-protection/passkeys/images/hello-save.png
new file mode 100644
index 0000000000..785a45596b
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use-confirm.png b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png
new file mode 100644
index 0000000000..4139c708c3
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png differ
diff --git a/windows/security/identity-protection/passkeys/images/hello-use.png b/windows/security/identity-protection/passkeys/images/hello-use.png
new file mode 100644
index 0000000000..df46054877
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/hello-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/laptop.svg b/windows/security/identity-protection/passkeys/images/laptop.svg
new file mode 100644
index 0000000000..2440c97fd5
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/laptop.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M3 7C3 5.89543 3.89543 5 5 5H15C16.1046 5 17 5.89543 17 7V12C17 13.1046 16.1046 14 15 14H5C3.89543 14 3 13.1046 3 12V7ZM5 6C4.44772 6 4 6.44772 4 7V12C4 12.5523 4.44772 13 5 13H15C15.5523 13 16 12.5523 16 12V7C16 6.44772 15.5523 6 15 6H5ZM2 15.5C2 15.2239 2.22386 15 2.5 15H17.5C17.7761 15 18 15.2239 18 15.5C18 15.7761 17.7761 16 17.5 16H2.5C2.22386 16 2 15.7761 2 15.5Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-connect.png b/windows/security/identity-protection/passkeys/images/linked-device-connect.png
new file mode 100644
index 0000000000..34cb085968
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-connect.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-save.png b/windows/security/identity-protection/passkeys/images/linked-device-save.png
new file mode 100644
index 0000000000..48bd40f658
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/linked-device-use.png b/windows/security/identity-protection/passkeys/images/linked-device-use.png
new file mode 100644
index 0000000000..5aeacdae7a
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/linked-device-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/phone.svg b/windows/security/identity-protection/passkeys/images/phone.svg
new file mode 100644
index 0000000000..acb1dce81f
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/phone.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M9 14C8.72386 14 8.5 14.2239 8.5 14.5C8.5 14.7761 8.72386 15 9 15H11C11.2761 15 11.5 14.7761 11.5 14.5C11.5 14.2239 11.2761 14 11 14H9ZM7 2C5.89543 2 5 2.89543 5 4V16C5 17.1046 5.89543 18 7 18H13C14.1046 18 15 17.1046 15 16V4C15 2.89543 14.1046 2 13 2H7ZM6 4C6 3.44772 6.44772 3 7 3H13C13.5523 3 14 3.44772 14 4V16C14 16.5523 13.5523 17 13 17H7C6.44772 17 6 16.5523 6 16V4Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/qr-code.svg b/windows/security/identity-protection/passkeys/images/qr-code.svg
new file mode 100644
index 0000000000..d84c521351
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/qr-code.svg
@@ -0,0 +1,3 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M11 15H13V17H11V15ZM15 15H17V17H15V15ZM11 11H13V13H11V11ZM13 13H15V15H13V13ZM15 11H17V13H15V11ZM3 5C3 3.89543 3.89543 3 5 3H7C8.10457 3 9 3.89543 9 5V7C9 8.10457 8.10457 9 7 9H5C3.89543 9 3 8.10457 3 7V5ZM5 4C4.44772 4 4 4.44772 4 5V7C4 7.55228 4.44772 8 5 8H7C7.55228 8 8 7.55228 8 7V5C8 4.44772 7.55228 4 7 4H5ZM5 5H7V7H5V5ZM3 13C3 11.8954 3.89543 11 5 11H7C8.10457 11 9 11.8954 9 13V15C9 16.1046 8.10457 17 7 17H5C3.89543 17 3 16.1046 3 15V13ZM5 12C4.44772 12 4 12.4477 4 13V15C4 15.5523 4.44772 16 5 16H7C7.55228 16 8 15.5523 8 15V13C8 12.4477 7.55228 12 7 12H5ZM5 13H7V15H5V13ZM11 5C11 3.89543 11.8954 3 13 3H15C16.1046 3 17 3.89543 17 5V7C17 8.10457 16.1046 9 15 9H13C11.8954 9 11 8.10457 11 7V5ZM13 4C12.4477 4 12 4.44772 12 5V7C12 7.55228 12.4477 8 13 8H15C15.5523 8 16 7.55228 16 7V5C16 4.44772 15.5523 4 15 4H13ZM13 5H15V7H13V5Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/save-passkey.png b/windows/security/identity-protection/passkeys/images/save-passkey.png
new file mode 100644
index 0000000000..9dd3799a14
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/save-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-save.png b/windows/security/identity-protection/passkeys/images/security-key-save.png
new file mode 100644
index 0000000000..a17554e17c
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-save.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-setup.png b/windows/security/identity-protection/passkeys/images/security-key-setup.png
new file mode 100644
index 0000000000..192d63cc74
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-setup.png differ
diff --git a/windows/security/identity-protection/passkeys/images/security-key-use.png b/windows/security/identity-protection/passkeys/images/security-key-use.png
new file mode 100644
index 0000000000..1513aa359e
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/security-key-use.png differ
diff --git a/windows/security/identity-protection/passkeys/images/usb.svg b/windows/security/identity-protection/passkeys/images/usb.svg
new file mode 100644
index 0000000000..18027400c1
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/images/usb.svg
@@ -0,0 +1,3 @@
+<svg width="9" height="16" viewBox="0 0 9 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8.39062 4.07812C8.27083 4.02604 8.14062 4 8 4V0H0.999999V4C0.859374 4 0.729166 4.02604 0.609375 4.07812C0.489583 4.13021 0.384114 4.20182 0.292968 4.29297C0.201822 4.38411 0.130208 4.48958 0.0781248 4.60937C0.0260416 4.72916 0 4.85937 0 5V15C0 15.1406 0.0260416 15.2708 0.0781248 15.3906C0.130208 15.5104 0.201822 15.6159 0.292968 15.707C0.384114 15.7982 0.489583 15.8698 0.609375 15.9219C0.729166 15.9739 0.859374 16 0.999999 16H8C8.14062 16 8.27083 15.9739 8.39062 15.9219C8.51041 15.8698 8.61588 15.7982 8.70703 15.707C8.79817 15.6159 8.86979 15.5104 8.92187 15.3906C8.97395 15.2708 8.99999 15.1406 8.99999 15V5C8.99999 4.85937 8.97395 4.72916 8.92187 4.60937C8.86979 4.48958 8.79817 4.38411 8.70703 4.29297C8.61588 4.20182 8.51041 4.13021 8.39062 4.07812ZM3 2H4V3H3V2ZM6 2V3H5V2H6ZM2 4H7V0.999999H2V4ZM0.999999 5H8V15H0.999999V5Z" fill="#0078D4"/>
+</svg>
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/images/use-passkey.png b/windows/security/identity-protection/passkeys/images/use-passkey.png
new file mode 100644
index 0000000000..1ff07346ea
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/use-passkey.png differ
diff --git a/windows/security/identity-protection/passkeys/images/website.png b/windows/security/identity-protection/passkeys/images/website.png
new file mode 100644
index 0000000000..d344d8dbde
Binary files /dev/null and b/windows/security/identity-protection/passkeys/images/website.png differ
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
new file mode 100644
index 0000000000..40d33d3ed3
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -0,0 +1,329 @@
+---
+title: Support for passkeys in Windows
+description: Learn about passkeys and how to use them on Windows devices.
+ms.collection: 
+- highpri
+- tier1
+ms.topic: article
+ms.date: 09/27/2023
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+---
+
+# Support for passkeys in Windows
+
+Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.
+
+You can use passkeys with any applications or websites that support them, to create and sign in with Windows Hello. Once a passkey is created and stored with Windows Hello, you can use your device's biometrics or PIN to sign in. Alternatively, you can use a companion device (phone or tablet) to sign in.
+
+> [!NOTE]
+> Starting in Windows 11, version 22H2 with [KB5030310][KB-1], Windows provides a native experience for passkey management. However, passkeys can be used in all supported versions of Windows clients.
+
+This article describes how to create and use passkeys on Windows devices.
+
+## How passkeys work
+
+Microsoft has long been a founding member of the FIDO Alliance and has helped to define and use passkeys natively within a platform authenticator like Windows Hello. Passkeys utilize the FIDO industry security standard, which is adopted by all major platforms. Leading technology companies like Microsoft are backing passkeys as part of the FIDO Alliance, and numerous websites and apps are integrating support for passkeys.
+
+The FIDO protocols rely on standard public/private key cryptography techniques to offer more secure authentication. When a user registers with an online service, their client device generates a new key pair. The private key is stored securely on the user's device, while the public key is registered with the service. To authenticate, the client device must prove that it possesses the private key by signing a challenge. The private keys can only be used after they're unlocked by the user using the Windows Hello unlock factor (biometrics or PIN).
+
+FIDO protocols prioritize user privacy, as they're designed to prevent online services from sharing information or tracking users across different services. Additionally, any biometric information used in the authentication process remains on the user's device and isn't transmitted across the network or to the service.
+
+### Passkeys compared to passwords
+
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker may try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+
+[!INCLUDE [passkey](../../../../includes/licensing/passkeys.md)]
+
+## User experiences
+
+### Create a passkey
+
+Follow these steps to create a passkey from a Windows device:
+
+:::row:::
+  :::column span="4":::
+
+  1. Open a website or app that supports passkeys
+
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+
+  2. Create a passkey from your account settings
+
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+  3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+- **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
+- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices
+- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN)
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+  4. Select **Next**
+  :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to save a passkey, based on where you want to store it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+  :::column span="3":::
+
+  5. Select a Windows Hello verification method and proceed with the verification, then select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/hello-save.png" alt-text="Screenshot showing the Windows Hello face verification method." lightbox="images/hello-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. The passkey is saved to your Windows device. To confirm select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/hello-save-confirm.png" alt-text="Screenshot confirming that the passkey is saved to the Windows device" lightbox="images/hello-save-confirm.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **New phone or tablet**](#tab/mobile)
+
+:::row:::
+  :::column span="3":::
+
+  5. Scan the QR code with your phone or tablet. Wait for the connection to the device to be established and follow the instructions to save the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/device-save-qr.png" alt-text="Screenshot showing the QR code asking the user to scan on the device." lightbox="images/device-save-qr.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. Once the passkey is saved to your phone or tablet, select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/device-save.png" alt-text="Screenshot confirming that the passkey is saved to the device." lightbox="images/device-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+  :::column span="3":::
+
+  5. Once the connection to the linked device is established, follow the instructions on the device to save the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/linked-device-connect.png" alt-text="Screenshot showing the passkey save dialog connecting to a linked device." lightbox="images/linked-device-connect.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. Once the passkey is saved to your linked device, select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/linked-device-save.png" alt-text="Screenshot confirming that the passkey is saved to the linked device." lightbox="images/linked-device-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+  :::column span="3":::
+
+  5. Select **OK** to confirm that you want to set up a security key, and unlock the security key using the key's unlock mechanism
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/security-key-setup.png" alt-text="Screenshot showing a prompt to use a security key to store the passkey." lightbox="images/security-key-setup.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  6. Once the passkey is saved to the security key, select **OK**
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/security-key-save.png" alt-text="Screenshot confirming that the passkey is saved to the security key." lightbox="images/security-key-save.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+---
+
+### Use a passkey
+
+Follow these steps to use a passkey:
+
+:::row:::
+  :::column span="3":::
+  1. Open a website or app that supports passkeys
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  2. Select **Sign in with a passkey**, or a similar option
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+- **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
+- **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
+- **Linked device**: use this option if you want to sign in with a passkey stored on a device that is in proximity of the Windows device. This option is only supported for Android devices
+- **Security key**: use this option if you want to sign in with a passkey stored on a FIDO2 security key
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
+  :::column-end:::
+:::row-end:::
+
+Pick one of the following options to learn how to use a passkey, based on where you saved it.
+
+#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+
+:::row:::
+  :::column span="3":::
+
+  4. Select a Windows Hello unlock option
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/hello-use.png" alt-text="Screenshot showing the Windows Hello prompt for a verification method." lightbox="images/hello-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  5. Select **OK** to continue signing in
+
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **Phone or tablet**](#tab/mobile)
+
+:::row:::
+  :::column span="3":::
+
+  4. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/device-use.png" alt-text="Screenshot showing the QR code to scan from your phone or tablet." lightbox="images/device-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="4":::
+
+  5. You're signed in to the website or app
+
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+
+:::row:::
+  :::column span="3":::
+
+  4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/linked-device-use.png" alt-text="Screenshot showing that the linked device is connected to Windows." lightbox="images/linked-device-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  5. You're signed in to the website or app
+
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+
+#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+
+:::row:::
+  :::column span="3":::
+
+  4. Unlock the security key using the key's unlock mechanism
+
+  :::column-end:::
+  :::column span="1":::
+    :::image type="content" source="images/security-key-use.png" alt-text="Screenshot showing a prompt asking the user to unlock the security key." lightbox="images/security-key-use.png" border="false":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+
+  5. You're signed in to the website or app
+
+  :::column-end:::
+  :::column span="1":::
+  :::column-end:::
+:::row-end:::
+
+---
+
+### Manage passkeys
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Settings app to view and manage passkeys saved for apps or websites. Go to **Settings > Accounts > Passkeys**, or use the following shortcut:
+
+> [!div class="nextstepaction"]
+>
+> [Manage passkeys][MSS-1]
+
+- A list of saved passkeys is displayed and you can filter them by name
+- To delete a passkey, select **... > Delete passkey** next to the passkey name
+
+:::image type="content" source="images/delete-passkey.png" alt-text="Screenshot of the Settings app showing the delete option for a passkey." lightbox="images/delete-passkey.png" border="false":::
+
+> [!NOTE]
+> Some passkeys for *login.microsoft.com* can't be deleted, as they're used with Microsoft Entra ID and/or Microsoft Account for signing in to the device and Microsoft services.
+
+## :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for passkeys, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passkey**.
+
+<!--links used in this document-->
+
+[FHUB]: feedback-hub:?tabid=2&newFeedback=true
+[KB-1]: https://support.microsoft.com/kb/5030310
+[MSS-1]: ms-settings:savedpasskeys
diff --git a/windows/security/identity-protection/passwordless-experience/images/edge-on.png b/windows/security/identity-protection/passwordless-experience/images/edge-on.png
new file mode 100644
index 0000000000..06a13b6f1a
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/edge-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
new file mode 100644
index 0000000000..dd8c09b2dd
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/images/key-credential-provider.svg
@@ -0,0 +1,11 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0H18.1835C19.1859 0 20 0.814095 20 1.81653V18.1835C20 19.1859 19.1859 20 18.1835 20H1.81653C0.814095 20 0 19.1859 0 18.1835V1.81653C0 0.814095 0.814095 0 1.81653 0Z" fill="#605E5C"/>
+<g clip-path="url(#clip0_111_2097)">
+<path d="M11.027 8.93146C10.9795 9.21812 11.061 9.51843 11.2714 9.73002L14.4419 12.9174C14.5641 13.0403 14.6252 13.1973 14.6252 13.3679V14.4736C14.6252 14.5418 14.5709 14.6033 14.4962 14.6033H13.2267C13.1588 14.6033 13.0977 14.5487 13.0977 14.4736V13.7092C13.0977 13.3542 12.8125 13.0676 12.4595 13.0676H11.5702V12.1735C11.5702 11.8186 11.285 11.5319 10.932 11.5319H10.0426V11.1497C10.0426 11.02 9.98153 10.904 9.8729 10.8289C9.76428 10.7606 9.6285 10.747 9.51309 10.7948C9.19401 10.9313 8.84098 11.02 8.49474 11.02C7.08263 11.02 5.9285 9.86652 5.9285 8.44004C5.9285 7.01355 7.06905 5.91468 8.49474 5.91468C9.92043 5.91468 11.061 7.06815 11.061 8.49464C11.061 8.63115 11.0406 8.76765 11.0135 8.92463L11.027 8.93146ZM5.17493 8.45369C5.17493 10.2965 6.6685 11.7981 8.50153 11.7981C8.77309 11.7981 9.03786 11.7571 9.28905 11.6957C9.30263 12.037 9.58098 12.31 9.92043 12.31H10.8098V13.2041C10.8098 13.559 11.0949 13.8457 11.4479 13.8457H12.3373V14.4872C12.3373 14.9787 12.7379 15.3814 13.2267 15.3814H14.4962C14.985 15.3814 15.3856 14.9787 15.3856 14.4872V13.3815C15.3856 13.0062 15.2362 12.6512 14.9782 12.3919L11.8078 9.20447C11.8078 9.20447 11.7602 9.12939 11.7738 9.08162C11.8078 8.90416 11.8281 8.71305 11.8281 8.51512C11.8281 6.65864 10.3413 5.15707 8.50153 5.15707C6.66171 5.15707 5.17493 6.59721 5.17493 8.45369ZM7.74116 7.04768C8.09419 7.04768 8.37933 7.33434 8.37933 7.68926C8.37933 8.04417 8.09419 8.33083 7.74116 8.33083C7.38814 8.33083 7.103 8.04417 7.103 7.68926C7.103 7.33434 7.38814 7.04768 7.74116 7.04768Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_111_2097">
+<rect width="10.2106" height="10.2106" fill="white" transform="translate(5.17493 5.15707)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png
new file mode 100644
index 0000000000..ccfade47d9
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png
new file mode 100644
index 0000000000..abb9b6456d
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/lock-screen-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-off.png b/windows/security/identity-protection/passwordless-experience/images/uac-off.png
new file mode 100644
index 0000000000..8913baa8ce
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-off.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/images/uac-on.png b/windows/security/identity-protection/passwordless-experience/images/uac-on.png
new file mode 100644
index 0000000000..b0d03a6299
Binary files /dev/null and b/windows/security/identity-protection/passwordless-experience/images/uac-on.png differ
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
new file mode 100644
index 0000000000..7ea73c4603
--- /dev/null
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -0,0 +1,143 @@
+---
+title: Windows passwordless experience
+description: Learn how Windows passwordless experience enables your organization to move away from passwords.
+ms.collection: 
+  - highpri
+  - tier1
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+---
+
+# Windows passwordless experience
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], *Windows passwordless experience* is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.\
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords.
+
+With Windows passwordless experience, users who sign in with Windows Hello or a FIDO2 security key:
+
+- Can't use the password credential provider on the Windows lock screen
+- Aren't prompted to use a password during in-session authentications (for example, UAC elevation, password manager in the browser, etc.)
+- Don't have the option *Accounts > Change password* in the Settings app
+  
+  >[!NOTE]
+  >Users can reset their password using <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DEL</kbd> > **Manage your account**
+
+Windows passwordless experience doesn't affect the initial sign-in experience and local accounts. It only applies to subsequent sign-ins for Microsoft Entra accounts. It also doesn't prevent a user from signing in with a password when using the *Other user* option in the lock screen.\
+The password credential provider is hidden only for the last signed in user who signed in Windows Hello or a FIDO2 security key. Windows passwordless experience isn't about preventing users from using passwords, rather to guide and educate them to not use passwords.
+
+This article explains how to enable Windows passwordless experience and describes the user experiences.
+
+>[!TIP]
+> Windows Hello for Business users can achieve passwordless sign-in from the first sign-in using the Web sign-in feature. For more information about Web sign-in, see [Web sign-in for Windows devices](../web-sign-in/index.md).
+
+## System requirements
+
+Windows passwordless experience has the following requirements:
+
+- Windows 11, version 22H2 with [KB5030310][KB-1] or later
+- Microsoft Entra joined
+- Windows Hello for Business credentials enrolled for the user, or a FIDO2 security key
+- MDM-managed: Microsoft Intune or other MDM solution
+
+>[!NOTE]
+>Microsoft Entra hybrid joined devices and Active Directory domain joined devices are currently out of scope.
+
+[!INCLUDE [windows-passwordless-experience](../../../../includes/licensing/windows-passwordless-experience.md)]
+
+## Enable Windows passwordless experience with Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Authentication** | Enable Passwordless Experience | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-2] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience`<br>- **Data type:** int<br>- **Value:** `1`|
+
+## User experiences
+
+### Lock screen experience
+
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned off**: users can sign in using a password, as indicated by the presence of the password credential provider  :::image type="icon" source="images/key-credential-provider.svg" border="false"::: in the Windows lock screen.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/lock-screen-off.png" lightbox="images/lock-screen-off.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers.":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned on**: the password credential provider :::image type="icon" source="images/key-credential-provider.svg" border="false"::: is missing for the last user who signed in with strong credentials. A user can either sign in using a strong credential or opt to use the *Other user* option to sign in with a password.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/lock-screen-on.png" lightbox="images/lock-screen-on.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint and PIN credential providers only. The password credential provider is missing.":::
+  :::column-end:::
+:::row-end:::
+
+### In-session authentication experiences
+
+When Windows passwordless experience is enabled, users can't use the password credential provider for in-session authentication scenarios. In-session authentication scenarios include:
+
+- Password Manager in a web browser
+- Connecting to file shares or intranet sites
+- User Account Control (UAC) elevation, except if a local user account is used for elevation
+
+>[!NOTE]
+> RDP sign in defaults to the credential provider used during sign-in. However, a user can select the option *Use a different account* to sign in with a password.
+>
+> *Run as different user* is not impacted by Windows passwordless experience.
+
+Example of UAC elevation experience:
+
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned off**: UAC elevation allows the user to authenticate using a password.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/uac-off.png" lightbox="images/uac-off.png" alt-text="Screenshot of the UAC prompt showing username and password fields.":::
+  :::column-end:::
+:::row-end:::
+:::row:::
+  :::column span="3":::
+  **Passwordless experience turned on**: UAC elevation doesn't allow the user to use the password credential provider for the currently logged on user. The user can authenticate using Windows Hello, a FIDO2 security key or a local user account, if available.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/uac-on.png" lightbox="images/uac-on.png" alt-text="Screenshot of the UAC prompt showing fingerprint and PIN options only.":::
+  :::column-end:::
+:::row-end:::
+
+## Recommendations
+
+Here's a list of recommendations to consider before enabling Windows passwordless experience:
+
+- If Windows Hello for Business is enabled, configure the [PIN reset](../hello-for-business/hello-feature-pin-reset.md) feature to allow users to reset their PIN from the lock screen. The PIN reset experience is improved starting in Windows 11, version 22H2 with [KB5030310][KB-1]
+- Don't configure the security policy *Interactive logon: Don't display last signed-in*, as it prevents Windows passwordless experience from working
+- Don't disable the password credential provider using the *Exclude credential providers* policy. The key differences between the two policies are:
+  - The Exclude credential providers policy disables passwords for *all accounts*, including local accounts. Windows passwordless experience only applies to Microsoft Entra accounts that sign in with Windows Hello or a FIDO2 security key. It also excludes *Other User* from the policy, so users have a backup sign in option
+  - Exclude credential providers policy prevents the use of passwords for RDP and *Run as* authentication scenarios
+- To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the [Windows Local Administrator Password Solution (LAPS)][SERV-1]
+
+## Known issues
+
+There's a known issue affecting the in-session authentication experience when using FIDO2 security keys, where security keys aren't always an available option. The product group is aware of this behavior and plans to improve this in the future.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Windows passwordless experience, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+<!--links used in this document-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-2]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[SERV-1]: /windows-server/identity/laps/laps-overview
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 41748c9408..5c99653fe4 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,11 +1,11 @@
 ---
-title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard 
-description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
+title: Remote Credential Guard 
+description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
 ms.collection: 
 - highpri
-- tier2
-ms.topic: article
-ms.date: 01/12/2018
+- tier1
+ms.topic: how-to
+ms.date: 09/06/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@@ -13,96 +13,112 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
 ---
-# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
 
-Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
+# Remote Credential Guard
 
-Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
+## Overview
+
+Remote Credential Guard helps protecting credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, the credentials aren't exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions.
+
+This article describes how to configure and use Remote Credential Guard.
 
 > [!IMPORTANT]
 > For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
 
-## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
+## Compare Remote Credential Guard with other connection options
 
-The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
+Using a Remote Desktop session without Remote Credential Guard has the following security implications:
 
-![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
+- Credentials are sent to and stored on the remote host
+- Credentials aren't protected from attackers on the remote host
+- Attacker can use credentials after disconnection
 
-The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
+The security benefits of Remote Credential Guard include:
 
-![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
+- Credentials aren't sent to the remote host
+- During the remote session you can connect to other systems using SSO
+- An attacker can act on behalf of the user only when the session is ongoing
 
-As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
+The security benefits of [Restricted Admin mode][TECH-1] include:
+
+- Credentials aren't sent to the remote host
+- The Remote Desktop session connects to other resources as the remote host's identity
+- An attacker can't act on behalf of the user and any attack is local to the server
 
 Use the following table to compare different Remote Desktop connection security options:
 
-| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
+| Feature | Remote Desktop | Remote Credential Guard | Restricted Admin mode |
 |--|--|--|--|
-| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
-| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; | &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul> | <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul> |
-| **Credentials supported from the remote desktop client device** | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> | <ul><li> <b>Signed on</b> credentials only | <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul> |
-| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
-| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
-| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
-
-For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
-and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
-
-## Remote Desktop connections and helpdesk support scenarios
-
-For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
-
-Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
-
-To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks  facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/download/details.aspx?id=46899).
-
-For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
-
-[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
+| Single sign-on (SSO) to other systems as signed in user | ✅ | ✅ | ❌ |
+| Multi-hop RDP | ✅ | ✅ | ❌ |
+| Prevent use of user's identity during connection | ❌ | ❌ | ✅ |
+| Prevent use of credentials after disconnection | ❌ | ✅ | ✅ |
+| Prevent Pass-the-Hash (PtH) | ❌ | ✅ | ✅ |
+| Supported authentication | Any negotiable protocol | Kerberos only | Any negotiable protocol |
+| Credentials supported from the remote desktop client device | - Signed on credentials<br>- Supplied credentials<br>- Saved credentials | - Signed on credentials<br>- Supplied credentials<br> | - Signed on credentials<br>- Supplied credentials<br>- Saved credentials |
+| RDP access granted with | Membership of **Remote Desktop Users** group on remote host | Membership of **Remote Desktop Users** group on remote host | Membership of **Administrators** group on remote host |
 
 ## Remote Credential Guard requirements
 
-To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements:
+To use Remote Credential Guard, the remote host and the client must meet the following requirements.
 
-The Remote Desktop client device:
+The remote host:
 
-- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
-- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
-- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
-- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must allow the user to access via Remote Desktop connections
+- Must allow delegation of nonexportable credentials to the client device
 
-The Remote Desktop remote host:
+The client device:
 
-- Must be running at least Windows 10, version 1607 or Windows Server 2016.
-- Must allow Restricted Admin connections.
-- Must allow the client's domain user to access Remote Desktop connections.
-- Must allow delegation of non-exportable credentials.
+- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
 
-There are no hardware requirements for Windows Defender Remote Credential Guard.
+[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
 
-> [!NOTE]
-> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
->
-> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
+## Enable delegation of nonexportable credentials on the remote hosts
 
-- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
-- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
+This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
 
-## Enable Windows Defender Remote Credential Guard
+To enable delegation of nonexportable credentials on the remote hosts, you can use:
 
-You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
+- Microsoft Intune/MDM
+- Group policy
+- Registry
 
-1. Open Registry Editor on the remote host
-1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
 
-  - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
-  - Add a new DWORD value named **DisableRestrictedAdmin**
-  - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
 
-1. Close Registry Editor
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > System > Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-1].
+
+| Setting |
+|--------|
+| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials`<br>- **Data type:** string<br>- **Value:** `<enabled/>`|
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled |
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+To configure devices using the registry, use the following settings:
+
+| Setting |
+|-|
+| - **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` <br>- **Key name:** `DisableRestrictedAdmin`<br>- **Type:** `REG_DWORD`<br>- **Value:** `0`|
 
 You can add this by running the following command from an elevated command prompt:
 
@@ -110,44 +126,103 @@ You can add this by running the following command from an elevated command promp
 reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
 ```
 
-## Using Windows Defender Remote Credential Guard
+---
 
-Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection.
+## Configure delegation of credentials on the clients
 
-### Turn on Windows Defender Remote Credential Guard by using Group Policy
+To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts.
 
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
-1. Double-click **Restrict delegation of credentials to remote servers**
-    ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
-1. Under **Use the following restricted mode**:
-  - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
+> [!TIP]
+> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+> ```cmd
+> mstsc.exe /remoteGuard
+> ```
 
-     > [!NOTE]
-     > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
-     > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
+The policy can have different values, depending on the level of security you want to enforce:
 
-  - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
-  - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in  [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-
-1. Click **OK**
-1. Close the Group Policy Management Console
-1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
-
-### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
-
-If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-
-```cmd
-mstsc.exe /remoteGuard
-```
+- **Disabled**: *Restricted Admin* and *Remote Credential Guard* mode aren't enforced and the Remote Desktop Client can delegate credentials to remote devices
+- **Require Restricted Admin**: the Remote Desktop Client must use Restricted Admin to connect to remote hosts
+- **Require Remote Credential Guard**: Remote Desktop Client must use Remote Credential Guard to connect to remote hosts
+- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used
 
 > [!NOTE]
-> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer.
+> When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard.
 
-## Considerations when using Windows Defender Remote Credential Guard
+To configure your clients, you can use:
 
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
-- Remote Desktop Credential Guard only works with the RDP protocol
+- Microsoft Intune/MDM
+- Group policy
+
+[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| **Administrative Templates > System > Credentials Delegation** | Restrict delegation of credentials to remote servers | Select **Enabled** and in the dropdown, select one of the options:<br>- **Restrict Credential Delegation**<br>- **Require Remote Credential Guard**|
+
+[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-2].
+
+| Setting |
+|--|
+|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`<br>- **Data type:** string<br>- **Value:** `<enabled/><data id=\"RestrictedRemoteAdministrationDrop\" value=\"2\"/>`<br><br>Possible values for `RestrictedRemoteAdministrationDrop` are:<br>- `0`: Disabled<br>- `1`: Require Restricted Admin<br>- `2`: Require Remote Credential Guard<br>- `3`: Restrict credential delegation |
+
+#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
+
+| Group policy path | Group policy setting | Value |
+| - | - | - |
+| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Restrict delegation of credentials to remote servers| **Enabled** and in the dropdown, select one of the options:<br>- **Restrict Credential Delegation**<br>- **Require Remote Credential Guard**|
+
+[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
+
+#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
+
+Not documented.
+
+---
+
+## Use Remote Credential Guard
+
+Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host:
+
+:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO.":::
+
+> [!NOTE]
+> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host.
+
+## Remote Desktop connections and helpdesk support scenarios
+
+For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects.
+
+We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the `/RestrictedAdmin` switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2][PTH-1].
+
+To further harden security, we also recommend that you implement Windows Local Administrator Password Solution (LAPS), which automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks  facilitated when customers use the same administrative local account and password combination on all their computers.
+
+For more information about LAPS, see [What is Windows LAPS][LEARN-1].
+
+## Additional considerations
+
+Here are some additional considerations for Remote Credential Guard:
+
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Microsoft Entra ID
+- Remote Credential Guard can be used from a Microsoft Entra joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
+- Remote Credential Guard only works with the RDP protocol
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
 - The server and client must authenticate using Kerberos
+- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+
+<!--links-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-credentialsdelegation
+[CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp
+[INT-3]: /mem/intune/configuration/settings-catalog
+[LEARN-1]: /windows-server/identity/laps/laps-overview
+[TECH-1]: https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx
+[PTH-1]: https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 5443446244..35ace33d60 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,7 +2,7 @@
 ms.date: 09/24/2021
 title: Smart Card and Remote Desktop Services 
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.topic: article
+ms.topic: conceptual
 ms.reviewer: ardenw
 ---
 # Smart Card and Remote Desktop Services
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index d305de2eae..f66eedf547 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,7 +2,7 @@
 title: Smart Card Architecture 
 description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: reference-architecture
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index f44786fcb1..62737034ae 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,7 +2,7 @@
 title: Certificate Propagation Service 
 description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
 ms.date: 08/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index ac153d8216..9931e52d1f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,7 +2,7 @@
 title: Certificate Requirements and Enumeration 
 description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
 ms.date: 09/24/2021
 ---
 
@@ -175,7 +175,7 @@ The smart card certificate has specific format requirements when it is used with
 
 |            **Component**             |                                                                **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11**                                                                 |                                                                                                **Requirements for Windows XP**                                                                                                 |
 |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:<br>\[1\]CRL Distribution Point<br>Distribution Point Name:<br>Full Name:<br>URL=`<https://server1.contoso.com/CertEnroll/caname.crl>`             |
+|   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:<br>\[1\]CRL Distribution Point<br>Distribution Point Name:<br>Full Name:<br>URL=`<http://server1.contoso.com/CertEnroll/caname.crl>`             |
 |              Key usage               |                                                                                            Digital signature                                                                                             |                                                                                                       Digital signature                                                                                                        |
 |          Basic constraints           |                                                                                               Not required                                                                                               |                                                                              \[Subject Type=End Entity, Path Length Constraint=None\] (Optional)                                                                               |
 |       extended key usage (EKU)       | The smart card sign-in object identifier is not required.<br><br>**Note**&nbsp;&nbsp;If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |      -   Client Authentication (1.3.6.1.5.5.7.3.2)<br>The client authentication object identifier is required only if a certificate is used for SSL authentication.<br><br>- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2)       |
@@ -310,4 +310,4 @@ For more information about this option for the command-line tool, see [-SCRoots]
 
 ## See also
 
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
\ No newline at end of file
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index afd45f5a5f..8193759010 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -5,7 +5,7 @@ ms.reviewer: ardenw
 ms.collection: 
   - highpri
   - tier2
-ms.topic: article
+ms.topic: troubleshooting
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index e2ef4a9160..f3f0e7de99 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,7 +2,7 @@
 title: Smart Card Group Policy and Registry Settings 
 description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: reference
 ms.date: 11/02/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 5d498cb152..5ad7eb1205 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,7 +2,7 @@
 title: How Smart Card Sign-in Works in Windows
 description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: overview
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 8250828ff6..4b9fd9a3fd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,7 +2,7 @@
 title: Smart Card Removal Policy Service 
 description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index e3a98718be..2604d84270 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,7 +2,7 @@
 title: Smart Cards for Windows Service 
 description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: concept-article
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 4de4acbfc6..f18465fff3 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,7 +2,7 @@
 title: Smart Card Tools and Settings 
 description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: conceptual
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 07d20ddf30..a7e5247fcc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,7 +2,7 @@
 title: Smart Card Technical Reference 
 description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
 ms.reviewer: ardenw
-ms.topic: article
+ms.topic: reference
 ms.date: 09/24/2021
 ---
 
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index d8e6726e39..5762bfaf81 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -3,16 +3,18 @@ items:
     href: index.md
   - name: Passwordless sign-in
     items:
-    - name: Windows Hello for Business 🔗
-      href: hello-for-business/index.md
+    - name: Passwordless strategy
+      href: hello-for-business/passwordless-strategy.md
+    - name: Windows Hello for Business
+      href: hello-for-business/toc.yml
     - name: Windows presence sensing
       href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
-    - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
-      href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
-    - name: FIDO 2 security key 🔗
+    - name: FIDO2 security key 🔗
       href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
-    - name: Federated sign-in 🔗
-      href: /education/windows/federated-sign-in
+    - name: Windows passwordless experience
+      href: passwordless-experience/index.md
+    - name: Passkeys
+      href: passkeys/index.md
     - name: Smart Cards
       href: smart-cards/toc.yml
     - name: Virtual smart cards
@@ -20,6 +22,10 @@ items:
       displayName: VSC
     - name: Enterprise Certificate Pinning
       href: enterprise-certificate-pinning.md
+  - name: Web sign-in
+    href: web-sign-in/index.md
+  - name: Federated sign-in 🔗
+    href: /education/windows/federated-sign-in
   - name: Advanced credential protection
     items:
     - name: Windows LAPS (Local Administrator Password Solution) 🔗
@@ -33,11 +39,11 @@ items:
     - name: Access Control
       href: access-control/access-control.md
       displayName: ACL/SACL
-    - name: Windows Defender Credential Guard
+    - name: Credential Guard
       href: credential-guard/toc.yml
-    - name: Windows Defender Remote Credential Guard
+    - name: Remote Credential Guard
       href: remote-credential-guard.md
-  - name: LSA Protection
+  - name: LSA Protection 🔗
     href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
   - name: Local Accounts
     href: access-control/local-accounts.md
diff --git a/windows/security/identity-protection/web-sign-in/images/lock-screen.png b/windows/security/identity-protection/web-sign-in/images/lock-screen.png
new file mode 100644
index 0000000000..dfe0a0687e
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/lock-screen.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif
new file mode 100644
index 0000000000..499f39dbb5
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png
new file mode 100644
index 0000000000..be213d4500
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-authenticator.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
new file mode 100644
index 0000000000..1afb38e115
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/images/web-sign-in-credential-provider.svg
@@ -0,0 +1,4 @@
+<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M1.81653 0.5H18.1835C18.9098 0.5 19.5 1.09024 19.5 1.81653V18.1835C19.5 18.9098 18.9098 19.5 18.1835 19.5H1.81653C1.09024 19.5 0.5 18.9098 0.5 18.1835V1.81653C0.5 1.09024 1.09024 0.5 1.81653 0.5Z" fill="#464646" stroke="#C4C4C4"/>
+<path d="M10 4.33337C10.5508 4.33337 11.082 4.40564 11.5937 4.55017C12.1055 4.6908 12.584 4.89197 13.0293 5.15369C13.4746 5.4115 13.8789 5.724 14.2422 6.09119C14.6094 6.45447 14.9219 6.85876 15.1797 7.30408C15.4414 7.74939 15.6426 8.22791 15.7832 8.73962C15.9277 9.25134 16 9.78259 16 10.3334C16 10.8842 15.9277 11.4154 15.7832 11.9271C15.6426 12.4388 15.4414 12.9174 15.1797 13.3627C14.9219 13.808 14.6094 14.2142 14.2422 14.5814C13.8789 14.9447 13.4746 15.2572 13.0293 15.5189C12.584 15.7767 12.1055 15.9779 11.5937 16.1224C11.082 16.2631 10.5508 16.3334 10 16.3334C9.44922 16.3334 8.91797 16.2631 8.40625 16.1224C7.89453 15.9779 7.41601 15.7767 6.9707 15.5189C6.52539 15.2572 6.11914 14.9447 5.75195 14.5814C5.38867 14.2142 5.07617 13.808 4.81445 13.3627C4.55664 12.9174 4.35547 12.4408 4.21094 11.933C4.07031 11.4213 4 10.8881 4 10.3334C4 9.78259 4.07031 9.25134 4.21094 8.73962C4.35547 8.22791 4.55664 7.74939 4.81445 7.30408C5.07617 6.85876 5.38867 6.45447 5.75195 6.09119C6.11914 5.724 6.52539 5.4115 6.9707 5.15369C7.41601 4.89197 7.89258 4.6908 8.40039 4.55017C8.91211 4.40564 9.44531 4.33337 10 4.33337ZM14.7402 8.08337C14.5918 7.76697 14.4121 7.47009 14.2012 7.19275C13.9902 6.9115 13.7559 6.65564 13.498 6.42517C13.2402 6.1947 12.9609 5.98962 12.6602 5.80994C12.3594 5.63025 12.0449 5.48376 11.7168 5.37048C11.8574 5.5658 11.9844 5.77283 12.0977 5.99158C12.2109 6.21033 12.3105 6.43689 12.3965 6.67126C12.4863 6.90173 12.5625 7.13611 12.625 7.37439C12.6875 7.61267 12.7422 7.849 12.7891 8.08337H14.7402ZM15.25 10.3334C15.25 9.81384 15.1777 9.31384 15.0332 8.83337H12.9062C12.9375 9.08337 12.9609 9.33337 12.9766 9.58337C12.9922 9.82947 13 10.0795 13 10.3334C13 10.5873 12.9922 10.8392 12.9766 11.0892C12.9609 11.3353 12.9375 11.5834 12.9062 11.8334H15.0332C15.1777 11.3529 15.25 10.8529 15.25 10.3334ZM10 15.5834C10.1914 15.5834 10.3691 15.5306 10.5332 15.4252C10.7012 15.3197 10.8555 15.181 10.9961 15.0092C11.1367 14.8373 11.2617 14.6439 11.3711 14.4291C11.4844 14.2103 11.584 13.9896 11.6699 13.767C11.7559 13.5443 11.8281 13.3295 11.8867 13.1224C11.9453 12.9154 11.9902 12.7357 12.0215 12.5834H7.97851C8.00976 12.7357 8.05469 12.9154 8.11328 13.1224C8.17187 13.3295 8.24414 13.5443 8.33008 13.767C8.41601 13.9896 8.51367 14.2103 8.62305 14.4291C8.73633 14.6439 8.86328 14.8373 9.0039 15.0092C9.14453 15.181 9.29687 15.3197 9.46094 15.4252C9.6289 15.5306 9.80859 15.5834 10 15.5834ZM12.1504 11.8334C12.1816 11.5834 12.2051 11.3353 12.2207 11.0892C12.2402 10.8392 12.25 10.5873 12.25 10.3334C12.25 10.0795 12.2402 9.82947 12.2207 9.58337C12.2051 9.33337 12.1816 9.08337 12.1504 8.83337H7.84961C7.81836 9.08337 7.79297 9.33337 7.77344 9.58337C7.75781 9.82947 7.75 10.0795 7.75 10.3334C7.75 10.5873 7.75781 10.8392 7.77344 11.0892C7.79297 11.3353 7.81836 11.5834 7.84961 11.8334H12.1504ZM4.75 10.3334C4.75 10.8529 4.82226 11.3529 4.9668 11.8334H7.09375C7.0625 11.5834 7.03906 11.3353 7.02344 11.0892C7.00781 10.8392 7 10.5873 7 10.3334C7 10.0795 7.00781 9.82947 7.02344 9.58337C7.03906 9.33337 7.0625 9.08337 7.09375 8.83337H4.9668C4.82226 9.31384 4.75 9.81384 4.75 10.3334ZM10 5.08337C9.80859 5.08337 9.6289 5.13611 9.46094 5.24158C9.29687 5.34705 9.14453 5.48572 9.0039 5.65759C8.86328 5.82947 8.73633 6.02478 8.62305 6.24353C8.51367 6.45837 8.41601 6.67712 8.33008 6.89978C8.24414 7.12244 8.17187 7.33728 8.11328 7.54431C8.05469 7.75134 8.00976 7.93103 7.97851 8.08337H12.0215C11.9902 7.93103 11.9453 7.75134 11.8867 7.54431C11.8281 7.33728 11.7559 7.12244 11.6699 6.89978C11.584 6.67712 11.4844 6.45837 11.3711 6.24353C11.2617 6.02478 11.1367 5.82947 10.9961 5.65759C10.8555 5.48572 10.7012 5.34705 10.5332 5.24158C10.3691 5.13611 10.1914 5.08337 10 5.08337ZM8.2832 5.37048C7.95508 5.48376 7.64062 5.63025 7.33984 5.80994C7.03906 5.98962 6.75976 6.1947 6.50195 6.42517C6.24414 6.65564 6.00976 6.9115 5.79883 7.19275C5.58789 7.47009 5.4082 7.76697 5.25976 8.08337H7.21094C7.25781 7.849 7.3125 7.61267 7.375 7.37439C7.4375 7.13611 7.51172 6.90173 7.59765 6.67126C7.6875 6.43689 7.78906 6.21033 7.90234 5.99158C8.01562 5.77283 8.14258 5.5658 8.2832 5.37048ZM5.25976 12.5834C5.4082 12.8998 5.58789 13.1986 5.79883 13.4799C6.00976 13.7572 6.24414 14.0111 6.50195 14.2416C6.75976 14.472 7.03906 14.6771 7.33984 14.8568C7.64062 15.0365 7.95508 15.183 8.2832 15.2963C8.14258 15.101 8.01562 14.8939 7.90234 14.6752C7.78906 14.4564 7.6875 14.2318 7.59765 14.0013C7.51172 13.767 7.4375 13.5306 7.375 13.2924C7.3125 13.0541 7.25781 12.8177 7.21094 12.5834H5.25976ZM11.7168 15.2963C12.0449 15.183 12.3594 15.0365 12.6602 14.8568C12.9609 14.6771 13.2402 14.472 13.498 14.2416C13.7559 14.0111 13.9902 13.7572 14.2012 13.4799C14.4121 13.1986 14.5918 12.8998 14.7402 12.5834H12.7891C12.7422 12.8177 12.6875 13.0541 12.625 13.2924C12.5625 13.5306 12.4863 13.767 12.3965 14.0013C12.3105 14.2318 12.2109 14.4564 12.0977 14.6752C11.9844 14.8939 11.8574 15.101 11.7168 15.2963Z" fill="white"/>
+</svg>
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif
new file mode 100644
index 0000000000..403c7fb609
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png
new file mode 100644
index 0000000000..f22395fbd7
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-federated-auth.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif
new file mode 100644
index 0000000000..9ae9f3c92f
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png
new file mode 100644
index 0000000000..e3b341d814
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-pin-reset.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png
new file mode 100644
index 0000000000..01d91be145
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-preferred-tenant.png differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif
new file mode 100644
index 0000000000..b677b87480
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.gif differ
diff --git a/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png
new file mode 100644
index 0000000000..18c20dd4fd
Binary files /dev/null and b/windows/security/identity-protection/web-sign-in/images/web-sign-in-tap.png differ
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
new file mode 100644
index 0000000000..edd4b03647
--- /dev/null
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -0,0 +1,172 @@
+---
+title: Web sign-in for Windows
+description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
+ms.date: 09/27/2023
+ms.topic: how-to
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Web sign-in for Windows
+
+Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities.
+This feature is called *Web sign-in*.
+
+Web sign-in is a *credential provider*, and it was initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in are expanded.\
+For example, you can sign in with the Microsoft Authenticator app or with a SAML-P federated identity.
+
+This article describes how to configure Web sign-in and the supported key scenarios.
+
+## System requirements
+
+To use web sign-in, the clients must meet the following prerequisites:
+
+- Windows 11, version 22H2 with [5030310][KB-1], or later
+- Must be Microsoft Entra joined
+- Must have Internet connectivity, as the authentication is done over the Internet
+
+[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
+
+## Configure web sign-in
+
+To use web sign-in, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Authentication | Enable Web Sign In | Enabled |
+| Authentication | Configure Web Sign In Allowed Urls | This setting is optional, and it contains a list of domains required for sign in, for example:<br>- `idp.example.com`<br>- `example.com` |
+| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, for example: `example.com` |
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
+
+| OMA-URI | More information |
+|-|-|
+| `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`| [EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin) |
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`|[ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#configurewebsigninallowedurls)|
+| `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`|[ConfigureWebcamAccessDomainNames](/windows/client-management/mdm/policy-csp-authentication#configurewebcamaccessdomainnames)|
+
+#### [:::image type="icon" source="../../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+[!INCLUDE [provisioning-package-1](../../../../includes/configure/provisioning-package-1.md)]
+
+| Path | Setting name | Value |
+|--|--|--|
+| `Policies/Authentication` | `EnableWebSignIn` | Enabled |
+| `Policies/Authentication` | `ConfigureWebSignInAllowedUrls` | This setting is optional, and it contains a semicolon-separated list of domains required for sign in, for example: `idp.example.com;example.com` |
+| `Policies/Authentication` | `ConfigureWebCamAccessDomainNames` | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `example.com` |
+
+[!INCLUDE [provisioning-package-2](../../../../includes/configure/provisioning-package-2.md)]
+
+---
+
+## User experiences
+
+Once the devices are configured, a new sign-in experience becomes available, as indicated by the presence of the Web sign-in credential provider :::image type="icon" source="images/web-sign-in-credential-provider.svg" border="false"::: in the Windows lock screen.
+
+:::image type="content" source="images/lock-screen.png" border="false" lightbox="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the Web sign-in credential provider.":::
+
+Here's a list of key scenarios supported by Web sign-in, and a brief animation showing the user experience. Select the thumbnail to start the animation.
+
+### Passwordless sign-in
+:::row:::
+  :::column span="3":::
+  Users can sign in to Windows passwordless, even before enrolling in Windows Hello for Business. For example, by using the Microsoft Authenticator app as a sign-in method.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-authenticator.png" border="false" lightbox="images/web-sign-in-authenticator.gif" alt-text="Animation of the Web sign-in experience with Microsoft Authenticator.":::
+  :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> When used in conjuction with *Windows Hello for Business passwordless*, you can hide the password credential provider from the lock screen as well as in-session authentication scenarios. This enables a truly passwordless Windows experience.
+
+To learn more:
+- [Enable passwordless sign-in with Microsoft Authenticator][AAD-1]
+- [Passwordless authentication options for Microsoft Entra ID][AAD-2]
+- [Windows passwordless experience](../passwordless-experience/index.md)
+
+### Windows Hello for Business PIN reset
+
+:::row:::
+  :::column span="3":::
+  The Windows Hello PIN reset flow is seamless and more robust than in previous versions.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-pin-reset.png" border="false" lightbox="images/web-sign-in-pin-reset.gif" alt-text="Animation of the PIN reset in experience.":::
+  :::column-end:::
+:::row-end:::
+
+For more information, see [PIN reset](../hello-for-business/hello-feature-pin-reset.md).
+
+### Temporary Access Pass (TAP)
+
+:::row:::
+  :::column span="3":::
+  A Temporary Access Pass (TAP) is a time-limited passcode granted by an administrator to a user. Users can sign in with a TAP using the Web sign-in credential provider. For example:
+
+  - to onboard Windows Hello for Business or a FIDO2 security key
+  - if lost or forgotten FIDO2 security key and unknown password
+
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-tap.png" border="false" lightbox="images/web-sign-in-tap.gif" alt-text="Animation of the TAP sign in experience.":::
+  :::column-end:::
+:::row-end:::
+
+For more information, see [Use a Temporary Access Pass][AAD-3].
+
+### Sign in with a federated identity
+
+:::row:::
+  :::column span="3":::
+  If the Microsoft Entra tenant is federated with a third-party SAML-P identity provider (IdP), federated users can sign using the Web sign-in credential provider.
+  :::column-end:::
+  :::column span="1":::
+  :::image type="content" source="images/web-sign-in-federated-auth.png" border="false" lightbox="images/web-sign-in-federated-auth.gif" alt-text="Animation of the sign in experience with a federated user.":::
+  :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> To improve the user experience for federated identities:
+>
+> - Configure the *preferred Microsoft Entra tenant name* feature, which allows users to select the domain name during the sign-in process. The users are then automatically redirected to the identity provider sign-in page.
+> - Enable Windows Hello for Business. Once the user signs in, the user can enroll in Windows Hello for Business and then use it to sign in to the device
+
+For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-1].
+
+## Important considerations
+
+Here's a list of important considerations to keep in mind when configuring or using Web sign-in:
+
+- Cached credentials aren't supported with Web sign-in. If the device is offline, the user can't use the Web sign-in credential provider to sign in
+- After sign out, the user isn't displayed in the user selection list
+- Once enabled, the Web sign-in credential provider is the default credential provider for new users signing in to the device. To change the default credential provider, you can use the [DefaultCredentialProvider][WIN-2] ADMX-backed policy
+- The user can exit the Web sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the Windows lock screen
+
+### Known issues
+
+- If you attempt to sign in while the device is offline, you get the following message: *It doesn't look that you're connected to the Internet. Check your connection and try again*. Selecting the *Back to sign-in* option doesn't bring you back to the lock screen. As a workaround, you can press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the lock screen.
+
+### :::image type="icon" source="../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for web sign-in, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Passwordless experience**.
+
+<!--links-->
+
+[AAD-1]: /azure/active-directory/authentication/howto-authentication-passwordless-phone
+[AAD-2]: /azure/active-directory/authentication/concept-authentication-passwordless
+[AAD-3]: /azure/active-directory/authentication/howto-authentication-temporary-access-pass
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[KB-1]: https://support.microsoft.com/kb/5030310
+[WIN-1]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
+[WIN-2]: /windows/client-management/mdm/policy-csp-admx-credentialproviders#defaultcredentialprovider
diff --git a/windows/security/images/icons/feedback.svg b/windows/security/images/icons/feedback.svg
new file mode 100644
index 0000000000..2ecd143695
--- /dev/null
+++ b/windows/security/images/icons/feedback.svg
@@ -0,0 +1,3 @@
+<svg width="42" height="40" viewBox="0 0 42 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M27.27 21C27.03 21 26.78 20.96 26.54 20.88C25.6 20.57 25 19.73 25 18.75V15.94C22.74 15.58 21 13.61 21 11.25V4.75C21 2.13 23.13 0 25.75 0H37.25C39.87 0 42 2.13 42 4.75V11.25C42 13.87 39.87 16 37.25 16H32.13L29.05 20.1C28.61 20.68 27.96 21 27.27 21ZM13 23.5C8.86 23.5 5.5 20.14 5.5 16C5.5 11.86 8.86 8.5 13 8.5C17.14 8.5 20.5 11.86 20.5 16C20.5 20.14 17.14 23.5 13 23.5ZM0 30.79C0 30.88 0.15 40 13 40C25.85 40 26 30.88 26 30.79V29.75C26 27.68 24.32 26 22.25 26H3.75C1.68 26 0 27.68 0 29.75V30.79Z" fill="#0078D4"/>
+</svg>
diff --git a/windows/security/images/icons/key.svg b/windows/security/images/icons/key.svg
new file mode 100644
index 0000000000..c9df33c18f
--- /dev/null
+++ b/windows/security/images/icons/key.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
+  <path d="M2048 1573v475h-512v-256h-256v-256h-256v-207q-74 39-155 59t-165 20q-97 0-187-25t-168-71-142-110-111-143-71-168T0 704q0-97 25-187t71-168 110-142T349 96t168-71T704 0q97 0 187 25t168 71 142 110 111 143 71 168 25 187q0 51-8 101t-23 98l671 670zM512 704q40 0 75-15t61-41 41-61 15-75q0-40-15-75t-41-61-61-41-75-15q-40 0-75 15t-61 41-41 61-15 75q0 40 15 75t41 61 61 41 75 15z"  fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/windows/security/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
+  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
+</svg>
\ No newline at end of file
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
index 34f9e6a785..8b6b510ef4 100644
--- a/windows/security/includes/sections/application.md
+++ b/windows/security/includes/sections/application.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -10,17 +10,17 @@ ms.topic: include
 | Feature name | Description |
 |:---|:---|
 | **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
-| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** |  |
 | **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)** |  |
 | **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
+| **[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
 
 ## Application isolation
 
 | Feature name | Description |
 |:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
 | **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
 | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
 | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
index 07fc5b88b5..efde3a725d 100644
--- a/windows/security/includes/sections/cloud-services.md
+++ b/windows/security/includes/sections/cloud-services.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,10 +9,10 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)** | Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
+| **[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
 | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
 | **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.<br><br>IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.<br><br>To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
 | **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
 | **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. <br><br>The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors.  |
-| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
+| **[Windows Autopilot](/autopilot/)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
index 11a4f97b60..fa6c065293 100644
--- a/windows/security/includes/sections/hardware.md
+++ b/windows/security/includes/sections/hardware.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -20,7 +20,7 @@ ms.topic: include
 | **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
 
 ## Secured-core PC
 
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index 891ad65444..5a643de599 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,20 +9,23 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
-| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
+| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
+| **[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
 | **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
+| **[Passkeys](/windows/security/identity-protection/passkeys)** | Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster, secure, and more convenient. |
+| **[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
 | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
 
 ## Advanced credential protection
 
 | Feature name | Description |
 |:---|:---|
-| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
+| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
+| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
+| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
 | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
-| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
+| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
 | **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
-| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
+| **[Credential Guard](/windows/security/identity-protection/credential-guard/)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
+| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
index 3a748fac25..4a4ee4acf2 100644
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -9,10 +9,11 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
+| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
 | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
 | **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
+| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
 
 ## Virus and threat protection
 
@@ -24,20 +25,21 @@ ms.topic: include
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
 | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
 | **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
 
 ## Network security
 
 | Feature name | Description |
 |:---|:---|
-| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.<br><br>In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
 | **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
 | **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
 | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
-| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
-| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
+| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
 | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
 | **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
 | **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
@@ -46,8 +48,8 @@ ms.topic: include
 
 | Feature name | Description |
 |:---|:---|
-| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD.  |
-| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
-| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
-| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID.  |
+| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
+| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
index 61eb75d6e8..7a85af0543 100644
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/02/2023
+ms.date: 09/18/2023
 ms.topic: include
 ---
 
@@ -11,14 +11,14 @@ ms.topic: include
 |:---|:---|
 | **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
 | **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.  |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows.  |
+| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows.  |
 
 ## Certification
 
 | Feature name | Description |
 |:---|:---|
-| **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
-| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
+| **[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
+| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
 
 ## Secure supply chain
 
@@ -26,4 +26,4 @@ ms.topic: include
 |:---|:---|
 | **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
 | **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune. <br><br>To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps. <br><br>Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets.  |
-| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. |
+| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.  |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index fcb82babda..40983d837f 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -7,13 +7,14 @@ brand: windows
 metadata:
   ms.topic: hub-page
   ms.prod: windows-client
+  ms.technology: itpro-security
   ms.collection:
     - highpri
     - tier1
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 08/11/2023
+  ms.date: 09/18/2023
 
 highlightedContent:
   items:
@@ -72,14 +73,14 @@ productDirectory:
       links:
         - url: /windows/security/identity-protection/hello-for-business
           text: Windows Hello for Business
-        - url: /windows/security/identity-protection/credential-guard/credential-guard
-          text: Windows Defender Credential Guard
-        - url: /windows-server/identity/laps/laps-overview
-          text: Windows LAPS (Local Administrator Password Solution)
+        - url: /windows/security/identity-protection/passwordless-experience
+          text: Windows passwordless experience
+        - url: /windows/security/identity-protection/web-sign-in
+          text: Web sign-in for Windows
+        - url: /windows/security/identity-protection/passkeys
+          text: Support for passkeys in Windows
         - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
           text: Enhanced phishing protection with SmartScreen
-        - url: /education/windows/federated-sign-in
-          text: Federated sign-in (EDU)
         - url: /windows/security/identity-protection
           text: Learn more about identity protection >
 
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 303f8c3057..d730747292 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -122,18 +122,18 @@ It's possible that you might revoke data from an unenrolled device only to later
 ## Auto-recovery of encryption keys
 Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
 
-To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity.
+To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Microsoft Entra identity.
 
-The employee experience is based on signing in with an Azure AD work account. The employee can either:
+The employee experience is based on signing in with a Microsoft Entra ID work account. The employee can either:
 
 - Add a work account through the **Windows Settings > Accounts > Access work or school > Connect** menu.
 
     -OR-
 
-- Open **Windows Settings > Accounts > Access work or school > Connect** and choose the **Join this device to Azure Active Directory** link, under **Alternate actions**.
+- Open **Windows Settings > Accounts > Access work or school > Connect** and choose the **Join this device to Microsoft Entra ID** link, under **Alternate actions**.
 
     >[!Note]
-    >To perform an Azure AD Domain Join from the Settings page, the employee must have administrator privileges to the device.
+    >To perform a Microsoft Entra Domain Join from the Settings page, the employee must have administrator privileges to the device.
 
 After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again.
 
@@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
 
     The **Access work or school settings** page appears.
 
-3. Sign-in to Azure AD as the employee and verify that the files now open
+3. Sign-in to Microsoft Entra ID as the employee and verify that the files now open
 
 ## Related topics
 
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 709de2a54d..c3badb03b9 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -52,7 +52,7 @@ After you've created your VPN policy, you'll need to deploy it to the same group
 
 1.  On the **App policy** blade, select your newly created policy, select **User groups** from the menu that appears, and then select **Add user group**.
 
-    A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
+    A list of user groups, made up of all of the security groups in your Microsoft Entra ID, appear in the **Add user group** blade.
 
 2. Choose the group you want your policy to apply to, and then select **Select** to deploy the policy.
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 6cb50dc76b..c73eda005f 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -27,23 +27,23 @@ You can create an app protection policy in Intune either with device enrollment
 
 - MAM has more **Access** settings for Windows Hello for Business.
 - MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
-- MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
-- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
+- MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
+- A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
 - MAM supports only one user per device.  
 - MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
 - Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
-- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Microsoft Entra ID. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
 
 ## Prerequisites
 
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
+Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Microsoft Entra ID. MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
 
 ## Configure the MDM or MAM provider
 
 1. Sign in to the Azure portal.
 
-2. Select **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
+2. Select **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
 
 3. Select **Restore Default URLs** or enter the settings for MDM or MAM user scope and select **Save**:
 
@@ -431,7 +431,7 @@ For example:
 URL <,proxy>|URL <,proxy>|/*AppCompat*/
 ```
 
-When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
+When you use this string, we recommend that you also turn on [Microsoft Entra Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
 
 Value format with proxy:
 
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
index a87668dc0e..92105b512d 100644
--- a/windows/security/introduction.md
+++ b/windows/security/introduction.md
@@ -1,7 +1,7 @@
 ---
 title: Introduction to Windows security
 description: System security book.
-ms.date: 08/01/2023
+ms.date: 09/01/2023
 ms.topic: tutorial
 ms.author: paoloma
 content_well_notification: 
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
 1. When verified, give people and devices access to only necessary resources for the necessary amount of time
 1. Use continuous analytics to drive threat detection and improve defenses
 
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Microsoft Entra ID, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 ### Security, by default
 
@@ -45,11 +45,11 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
 
 ### Secured identities
 
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
 
 ### Connecting to cloud services
 
-Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Azure Active Directory and Microsoft Azure Attestation to control access to applications and data through the cloud.
+Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Microsoft Entra ID and Microsoft Azure Attestation to control access to applications and data through the cloud.
 
 ## Next steps
 
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
index 52cc2816b8..16a611c770 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
@@ -59,7 +59,7 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen
 
     The recovery key can be stored using the following methods:
 
-   - **Save to your Azure AD account** (if applicable)
+   - **Save to your Microsoft Entra account** (if applicable)
    - **Save to a USB flash drive**
    - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
    - **Print the recovery key**
@@ -126,7 +126,7 @@ Encrypting data volumes using the BitLocker control panel works in a similar fas
 
 3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
 
-   - **Save to your Azure AD account** (if applicable)
+   - **Save to your Microsoft Entra account** (if applicable)
    - **Save to a USB flash drive**
    - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
    - **Print the recovery key**
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
index 1654153fec..dd95d6dbc5 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -16,7 +16,7 @@ This article depicts the BitLocker deployment comparison chart.
 | *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
 | *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
 | *Minimum Windows version* | 1909 | None | None |
-| *Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
+| *Supported domain-joined status* | Microsoft Entra joined, Microsoft Entra hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined | Active Directory-joined |
 | *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
 | *Cloud or on premises* | Cloud | On premises | On premises |
 | Server components required? |  | ✅ | ✅ |
@@ -31,16 +31,16 @@ This article depicts the BitLocker deployment comparison chart.
 | *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
-| *Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
-| *Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
+| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database | MBAM database |
+| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Yes (Active Directory and Microsoft Entra ID) | Yes (Active Directory only) | Yes (Active Directory only) |
 | *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
 | *Allow/deny key file creation* | ✅ | ✅ | ✅ |
 | *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
 | *Can be administered outside company network* | ✅ | ✅ |  |
 | *Support for organization unique IDs* |  | ✅ | ✅ |
-| *Self-service recovery* | Yes (through Azure AD or Company Portal app) | ✅ | ✅ |
+| *Self-service recovery* | Yes (through Microsoft Entra ID or Company Portal app) | ✅ | ✅ |
 | *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
-| *Wait to complete encryption until recovery information is backed up to Azure AD* | ✅ |  |  |
+| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ |  |  |
 | *Wait to complete encryption until recovery information is backed up to Active Directory* |  | ✅ | ✅ |
 | *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
 | *Unlock a volume using certificate with custom object identifier* |  | ✅ | ✅ |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index d93426076e..7b8887a82c 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -67,7 +67,7 @@ Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabl
   
   With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
 
-- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
+- Similar to signing in with a domain account, the clear key is removed when the user signs in to a Microsoft Entra account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Microsoft Entra ID. Then, the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed.
 
 Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
 
@@ -160,4 +160,4 @@ Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administrat
 
 Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
 
-Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
+Enterprises not using Configuration Manager can use the built-in features of Microsoft Entra ID and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
index c88b6cde1e..e9c661179f 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -17,22 +17,24 @@ Though much Windows [BitLocker documentation](index.md) has been published, cust
 
 Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
 
-Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
+Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Microsoft Entra ID.
 
 > [!IMPORTANT]
 > Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
 
-## Managing devices joined to Azure Active Directory
+<a name='managing-devices-joined-to-azure-active-directory'></a>
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
+## Managing devices joined to Microsoft Entra ID
+
+Devices joined to Microsoft Entra ID are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
 
 Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Microsoft Entra ID. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Microsoft Entra ID. This process and feature is applicable to Azure Hybrid AD as well.
 
 ## Managing workplace-joined PCs and phones
 
-For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
+For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Microsoft Entra ID.
 
 ## Managing servers
 
@@ -47,9 +49,9 @@ If a server is being installed manually, such as a stand-alone server, then choo
 
 ## PowerShell examples
 
-For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD.  
+For Microsoft Entra joined computers, including virtual machines, the recovery password should be stored in Microsoft Entra ID.  
 
-**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+**Example**: *Use PowerShell to add a recovery password and back it up to Microsoft Entra ID before enabling BitLocker*
 
 ```powershell
 Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
index c934ae7570..a2bf3f755c 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -344,7 +344,7 @@ BitLocker metadata has been enhanced starting in Windows 10, version 1903, to in
 ![Customized BitLocker recovery screen.](images/bl-password-hint2.png)
 
 > [!IMPORTANT]
-> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
+> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Microsoft Entra ID and Microsoft account.
 
 There are rules governing which hint is shown during the recovery (in the order of processing):
 
@@ -356,7 +356,7 @@ There are rules governing which hint is shown during the recovery (in the order
 
 4. Prioritize keys with successful backup over keys that have never been backed up.
 
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
+5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Microsoft Entra ID > Active Directory**.
 
 6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
 
@@ -371,7 +371,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     Yes    |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     Yes    |
-|     Saved to Azure AD     |     No     |
+|     Saved to Microsoft Entra ID     |     No     |
 |     Saved to Active Directory      |     No     |
 |     Printed          |     No     |
 |     Saved to file    |     No     |
@@ -385,7 +385,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     Yes    |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     No     |
-|     Saved to Azure AD     |     No     |
+|     Saved to Microsoft Entra ID     |     No     |
 |     Saved to Active Directory      |     Yes    |
 |     Printed          |     No     |
 |     Saved to file    |     No     |
@@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No     |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     Yes    |
-|     Saved to Azure AD     |     Yes    |
+|     Saved to Microsoft Entra ID     |     Yes    |
 |     Saved to Active Directory      |     No     |
 |     Printed          |     Yes    |
 |     Saved to file    |     Yes    |
@@ -413,7 +413,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
-|     Saved to Azure AD     |     No          |
+|     Saved to Microsoft Entra ID     |     No          |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     Yes         |
@@ -426,7 +426,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
-|     Saved to Azure AD     |     No          |
+|     Saved to Microsoft Entra ID     |     No          |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
@@ -442,7 +442,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     Yes         |
-|     Saved to Azure AD     |     Yes         |
+|     Saved to Microsoft Entra ID     |     Yes         |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
@@ -452,7 +452,7 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Custom URL       |     No        |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
-|     Saved to Azure AD     |     Yes         |
+|     Saved to Microsoft Entra ID     |     Yes         |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index 9af21917f8..7f560a14b9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -473,4 +473,4 @@ sections:
       - question: |
           Can I use BitLocker with virtual machines (VMs)?
         answer: |
-          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Microsoft Entra joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 2464ef0104..3faff60393 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -13,7 +13,7 @@ ms.date: 08/03/2023
 Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
 BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
 
-BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
+BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices and it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
 
 On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
deleted file mode 100644
index fe2fb5b3e9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Configure Personal Data Encryption (PDE) in Intune
-description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-<!-- Max 5963468 OS 32516487 -->
-<!-- Max 6946251 -->
-
-# Configure Personal Data Encryption (PDE) policies in Intune
-
-The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
-
-## Required prerequisites
-
-1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-## Security hardening recommendations
-
-1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-1. [Disable hibernation](intune-disable-hibernation.md)
-1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## See also
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
new file mode 100644
index 0000000000..dc6e715410
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -0,0 +1,141 @@
+---
+title: PDE settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+ms.topic: how-to
+ms.date: 08/11/2023
+---
+
+# PDE settings and configuration
+
+This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+
+> [!NOTE]
+> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+>
+> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+
+## PDE settings
+
+The following table lists the required settings to enable PDE.
+
+| Setting name | Description |
+|-|-|
+|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+
+## PDE hardening recommendations
+
+The following table lists the recommended settings to improve PDE's security.
+
+| Setting name | Description |
+|-|-|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
+
+## Configure PDE with Microsoft Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
+|**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled|
+|**Memory Dump**|Allow Live Dump|Block|
+|**Memory Dump**|Allow Crash Dump|Block|
+|**Administrative Templates > Windows Components > Windows Error Reporting** | Disable Windows Error Reporting | Enabled|
+|**Power**|Allow Hibernate|Block|
+|**Administrative Templates > System > Logon** | Allow users to select when a password is required when resuming from connected standby | Disabled|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
+```
+
+## Configure PDE with CSP
+
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
+|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`<disabled/>`|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`<enabled/>`|
+|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
+
+## Disable PDE
+
+Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+
+### Disable PDE with a settings catalog policy in Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+### Disable PDE with CSP
+
+You can disable PDE with CSP using the following setting:
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
+
+## Decrypt PDE-encrypted content
+
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+
+1. Open the properties of the file
+1. Under the **General** tab, select **Advanced...**
+1. Uncheck the option **Encrypt contents to secure data**
+1. Select **OK**, and then **OK** again
+
+PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+
+- Decrypting a large number of files on a device
+- Decrypting files on multiple of devices
+
+To decrypt files on a device using `cipher.exe`:
+
+- Decrypt all files under a directory including subdirectories:
+
+  ```cmd
+  cipher.exe /d /s:<path_to_directory>
+  ```
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+
+  ```cmd
+  cipher.exe /d <path_to_file_or_directory>
+  ```
+
+> [!IMPORTANT]
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+
+## Next steps
+
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+<!--links used in this document-->
+
+[CSP-1]: /windows/client-management/mdm/policy-configuration-service-provider
+[CSP-2]: /windows/client-management/mdm/personaldataencryption-csp
+
+[WINS-1]: /windows-server/administration/windows-commands/cipher
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
similarity index 73%
rename from windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 0429e74204..9dbd3b3def 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 03/13/2023
+  ms.date: 08/11/2023
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |
@@ -45,17 +45,9 @@ sections:
         answer: |
           No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
 
-      - question: How can it be determined if a file is protected with PDE?
-        answer: |
-          - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
-            1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
-            2. Select the **Details** button.
-            3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
-          - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
-
       - question: Can users manually encrypt and decrypt files with PDE?
         answer: |
-          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
+          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content). 
 
       - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
         answer: |
@@ -64,9 +56,3 @@ sections:
       - question: What encryption method and strength does PDE use?
         answer: |
           PDE uses AES-CBC with a 256-bit key to encrypt content.
-
-additionalContent: |
-  ## See also
-    - [Personal Data Encryption (PDE)](index.md)
-    - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
-    
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
deleted file mode 100644
index b34908147d..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.topic: include
-ms.date: 03/13/2023
----
-
-<!-- Max 5963468 OS 32516487 -->
-<!-- Max 6946251 -->
-
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
-
-PDE differs from BitLocker in that it  encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
-
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-
-Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 83e0433698..14df705407 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,89 +2,40 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 03/13/2023
+ms.date: 08/11/2023
 ---
 
 # Personal Data Encryption (PDE)
 
-[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
 
-[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
+PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
+
+The use of Windows Hello for Business offers the following advantages:
+
+- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
+- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+
+PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
 
 ## Prerequisites
 
-### Required
+To use PDE, the following prerequisites must be met:
 
-- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
-- Windows 11, version 22H2 and later Enterprise and Education editions
+- Windows 11, version 22H2 and later
+- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
+- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
 
-### Not supported with PDE
+> [!IMPORTANT]
+> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
 
-- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
-- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
-  - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
-- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
-- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
-- Remote Desktop connections
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
-   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
-   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
-   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
-    When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-  - On-premises Active Directory joined devices:
-
-    - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
-    - A password is required immediately after the screen turns off.
-
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
-  - Workgroup devices, including Azure AD joined devices:
-
-    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
-    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
-
-    Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-   For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
-
-   Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
-   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
-   Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-   Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
 ## PDE protection levels
 
-PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
@@ -103,27 +54,11 @@ When a file is protected with PDE, its icon will show a padlock. If the user has
 
 Scenarios where a user will be denied access to PDE protected content include:
 
-- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If protected via level 2 protection, when the device is locked.
-- When trying to access content on the device remotely. For example, UNC network paths.
-- Remote Desktop sessions.
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
-
-## How to enable PDE
-
-To enable PDE on devices, push an MDM policy to the devices with the following parameters:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **1**
-
-There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
+- If protected via level 2 protection, when the device is locked
+- When trying to access content on the device remotely. For example, UNC network paths
+- Remote Desktop sessions
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
 
 ## Differences between PDE and BitLocker
 
@@ -132,8 +67,8 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker,
 | Item | PDE | BitLocker |
 |--|--|--|
 | Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
-| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
-| Files protected | Individual specified files | Entire volume/drive |
+| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
+| Protected content | All files in protected folders | Entire volume/drive |
 | Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
 
 ## Differences between PDE and EFS
@@ -143,61 +78,38 @@ The main difference between protecting files with PDE instead of EFS is the meth
 To see if a file is protected with PDE or with EFS:
 
 1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. In the **Advanced Attributes** windows, select **Details**
+1. Under the **General** tab, select **Advanced...**
+1. In the **Advanced Attributes** windows, select **Details**
 
 For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
 
 For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
 
-Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
+Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
-## Disable PDE and decrypt content
+## Recommendations for using PDE
 
-Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+The following are recommendations for using PDE:
 
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **0**
-
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
-
-1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. Uncheck the option **Encrypt contents to secure data**
-4. Select **OK**, and then **OK** again
-
-PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
-
-- Decrypting a large number of files on a device
-- Decrypting files on a large number of devices.
-
-To decrypt files on a device using `cipher.exe`:
-
-- Decrypt all files under a directory including subdirectories:
-
-    ```cmd
-    cipher.exe /d /s:<path_to_directory>
-    ```
-
-- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
-
-    ```cmd
-    cipher.exe /d <path_to_file_or_directory>
-    ```
-
-> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
 
 ## Windows out of box applications that support PDE
 
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
 
-- Mail
-  - Supports protecting both email bodies and attachments
+| App name | Details |
+|-|-|
+| Mail | Supports protecting both email bodies and attachments|
 
-## See also
+## Next steps
 
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
-- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
+- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+<!--links used in this document-->
+
+[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
+[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
deleted file mode 100644
index 9fda445c43..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-ms.topic: how-to
-ms.date: 06/01/2023
----
-
-# Disable Winlogon automatic restart sign-on (ARSO) for PDE
-
-Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
-
-## Disable Winlogon automatic restart sign-on (ARSO) in Intune
-
-To disable ARSO using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Templates**
-   1. When the templates appear, under **Template name**, select **Administrative templates**
-   1. Select **Create** to close the **Create profile** window.
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable ARSO**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. On the left pane of the page, make sure **Computer Configuration** is selected
-   1. Under **Setting name**, scroll down and select **Windows Components**
-   1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
-   1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
-   1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
deleted file mode 100644
index ef18936b1b..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Disable hibernation for PDE in Intune
-description: Disable hibernation for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable hibernation for PDE
-
-Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
-
-## Disable hibernation in Intune
-
-To disable hibernation using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Hibernation**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, scroll down and select **Power**
-      1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
deleted file mode 100644
index 66a238e3c9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable kernel-mode crash dumps and live dumps for PDE
-
-Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
-
-## Disable kernel-mode crash dumps and live dumps in Intune
-
-To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
-   1. Next to **Description**, enter a description.
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, scroll down and select **Memory Dump**
-      1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
deleted file mode 100644
index 4cf442e308..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable allowing users to select when a password is required when resuming from connected standby for PDE
-
-When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-- On-premises Active Directory joined devices:
-  - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
-  - A password is required immediately after the screen turns off
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
-- Workgroup devices, including Azure AD joined devices:
-  - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
-  - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
-
-Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-## Disable allowing users to select when a password is required when resuming from connected standby in Intune
-
-To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-    1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
-    1. Next to **Description**, enter a description
-    1. Select **Next**.
-
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, expand **Administrative Templates**
-      1. Under **Administrative Templates**, scroll down and expand **System**
-      1. Under **System**, scroll down and select **Logon**
-      1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
-   1. select **Next**
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
deleted file mode 100644
index 39fe957317..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-
-Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
-
-## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
-
-To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, expand **Administrative Templates**
-      1. Under **Administrative Templates**, scroll down and expand **Windows Components**
-      1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
-      1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
deleted file mode 100644
index 795504237c..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Enable Personal Data Encryption (PDE) in Intune
-description: Enable Personal Data Encryption (PDE) in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Enable Personal Data Encryption (PDE)
-
-By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled.  This can be done via a custom OMA-URI policy assigned to the device.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-## Enable Personal Data Encryption (PDE) in Intune
-
-To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Templates**
-   1. When the templates appears, under **Template name**, select **Custom**
-   1. Select **Create** to close the **Create profile** window
-1. The **Custom** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Personal Data Encryption**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In **Configuration settings** page:
-   1. Next to **OMA-URI Settings**, select **Add**
-   1. In the **Add Row** window that opens:
-     1. Next to **Name**, enter **Personal Data Encryption**
-     1. Next to **Description**, enter a description
-     1. Next to **OMA-URI**, enter in:
-        **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-     1. Next to **Data type**, select **Integer**
-     1. Next to **Value**, enter in **1**
-     1. Select **Save** to close the **Add Row** window
-   1. Select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Applicability Rules**, configure if necessary and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index 0bb7c66820..f526600bd4 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,19 +1,7 @@
 items:
-- name: Overview
+- name: PDE overview
   href: index.md
-- name: Configure PDE with Intune
-  href: configure-pde-in-intune.md
-- name: Enable Personal Data Encryption (PDE)
-  href: intune-enable-pde.md
-- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
-  href: intune-disable-arso.md
-- name: Disable kernel-mode crash dumps and live dumps for PDE
-  href: intune-disable-memory-dumps.md
-- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-  href: intune-disable-wer.md
-- name: Disable hibernation for PDE
-  href: intune-disable-hibernation.md
-- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
-  href: intune-disable-password-connected-standby.md
+- name: Configure PDE
+  href: configure.md
 - name: PDE frequently asked questions (FAQ)
-  href: faq-pde.yml
\ No newline at end of file
+  href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index ae9673a74d..f61993984e 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -74,8 +74,8 @@ If the credentials are certificate-based, then the elements in the following tab
 |------------------|---------------|
 | SubjectName | The user's distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
 | SubjectAlternativeName | The user's fully qualified UPN where a domain name component of the user's UPN matches the organizations internal domain's DNS namespace. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
-| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
-| EnhancedKeyUsage | One or more of the following EKUs is required: </br><ul><li>Client Authentication (for the VPN)</li><li>EAP Filtering OID (for Windows Hello for Business)</li><li>SmartCardLogon (for Azure AD-joined devices)</li></ul>If the domain controllers require smart card EKU either:<ul><li>SmartCardLogon</li><li>id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) </li></ul>Otherwise:</br><ul><li>TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)</li></ul> |
+| Key Storage Provider (KSP) | If the device is joined to Microsoft Entra ID, a discrete SSO certificate is used. |
+| EnhancedKeyUsage | One or more of the following EKUs is required: </br><ul><li>Client Authentication (for the VPN)</li><li>EAP Filtering OID (for Windows Hello for Business)</li><li>SmartCardLogon (for Microsoft Entra joined devices)</li></ul>If the domain controllers require smart card EKU either:<ul><li>SmartCardLogon</li><li>id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) </li></ul>Otherwise:</br><ul><li>TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)</li></ul> |
 
 ## NDES server configuration
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 26738c946b..2606196671 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,25 +1,25 @@
 ---
 title: VPN and conditional access
-description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
+description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
 ms.date: 08/03/2023
 ms.topic: conceptual
 ---
 
 # VPN and conditional access
 
-The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
+The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Microsoft Entra connected application.
 
 >[!NOTE]
->Conditional Access is an Azure AD Premium feature.
+>Conditional Access is a Microsoft Entra ID P1 or P2 feature.
 
 Conditional Access Platform components used for Device Compliance include the following cloud-based services:
 
 - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
-- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
+- [Microsoft Entra Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
 - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
-- Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA.
+- Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA.
 See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
+- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued.
 - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
   - Antivirus status
   - Auto-update status and update compliance
@@ -35,12 +35,12 @@ The following client-side components are also required:
 
 ## VPN device compliance
 
-At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
+At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
 
 Server-side infrastructure requirements to support VPN device compliance include:
 
 - The VPN server should be configured for certificate authentication.
-- The VPN server should trust the tenant-specific Azure AD CA.
+- The VPN server should trust the tenant-specific Microsoft Entra CA.
 - For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO).
 
 After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
@@ -48,7 +48,7 @@ After the server side is set up, VPN admins can add the policy settings for cond
 Two client-side configuration service providers are leveraged for VPN device compliance.
 
 - VPNv2 CSP DeviceCompliance settings:
-  - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
+  - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Microsoft Entra ID.
   - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
   - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
   - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
@@ -71,20 +71,22 @@ The VPN client side connection flow works as follows:
 
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
 
-1. The VPN client calls into Windows 10's or Windows 11's Azure AD Token Broker, identifying itself as a VPN client.
-1. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
-1. If compliant, Azure AD requests a short-lived certificate.
-1. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
-1. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
+1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client.
+1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies.
+1. If compliant, Microsoft Entra ID requests a short-lived certificate.
+1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
+1. The VPN client uses the Microsoft Entra ID-issued certificate to authenticate with the VPN server.
 
 ## Configure conditional access
 
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
 
-## Learn more about Conditional Access and Azure AD Health
+<a name='learn-more-about-conditional-access-and-azure-ad-health'></a>
 
-- [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
-- [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
+## Learn more about Conditional Access and Microsoft Entra Health
+
+- [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview)
+- [Getting started with Microsoft Entra Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
 - [Control the health of Windows devices](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index cd91bd8540..f4b96d4267 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -23,7 +23,7 @@ To create a Windows VPN device configuration profile see: [Windows device settin
 | [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
 | [VPN routing decisions](vpn-routing.md)  | Choose between split tunnel and force tunnel configuration |
 | [VPN authentication options](vpn-authentication.md)  | Select a method for Extensible Authentication Protocol (EAP) authentication. |
-| [VPN and conditional access](vpn-conditional-access.md)  | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
+| [VPN and conditional access](vpn-conditional-access.md)  | Use Microsoft Entra policy evaluation to set access policies for VPN connections. |
 | [VPN name resolution](vpn-name-resolution.md)  | Decide how name resolution should work |
 | [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)  | Set a VPN profile to connect automatically by app or by name, to be "always on", and to not trigger VPN on trusted networks |
 | [VPN security features](vpn-security-features.md)  | Configure traffic filtering, connect a VPN profile to Windows Information Protection (WIP), and more |
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index 5aae45f5c3..21b3797cf1 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -1,7 +1,7 @@
 ---
 title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
-ms.topic: article
+ms.topic: how-to
 ms.date: 08/03/2023
 ---
 # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
index ece353e83c..e6bba9c9db 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
 ms.collection: 
   - highpri
   - tier3
+  - must-keep
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
index fa3fa7d18b..c0f7eb352f 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@@ -6,7 +6,8 @@ ms.date: 11/09/2022
 ms.collection: 
   - highpri
   - tier3
-ms.topic: article
+  - must-keep
+ms.topic: best-practice
 ---
 
 # Best practices for configuring Windows Defender Firewall
@@ -104,7 +105,7 @@ To determine why some applications are blocked from communicating in the network
 
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 
-![Windows Firewall prompt.](images/fw04-userquery.png)
+:::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png":::
 
 *Figure 4: Dialog box to allow access*
 
@@ -184,7 +185,7 @@ incoming connections, including those in the list of allowed apps** setting foun
 
 *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
 
-![Firewall cpl.](images/fw07-legacy.png)
+:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
 
 *Figure 7: Legacy firewall.cpl*
 
@@ -207,3 +208,24 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound
 ## Document your changes
 
 When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
+
+## Configure Windows Firewall rules with WDAC tagging policies
+
+Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: 
+
+### Step 1: Deploy WDAC AppId Tagging Policies
+
+A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.  
+
+Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications. 
+
+### Step 2: Configure Firewall Rules using PolicyAppId Tags
+
+- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
+You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. 
+
+OR
+
+- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `–PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported. 
+
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
index 2912122082..e60bc7b3ec 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
@@ -29,17 +29,66 @@ To complete these procedures, you must be a member of the Domain Administrators
 
     3.  The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
 
-        >**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
+        > [!IMPORTANT]
+        > The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
 
-    4.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
+    5.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
 
-    5.  No logging occurs until you set one of following two options:
+    6.  No logging occurs until you set one of following two options:
 
         -   To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
 
         -   To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
 
-    6.  Click **OK** twice.
+    7.  Click **OK** twice.
+
+### Troubleshoot if the log file is not created or modified
+
+Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
+
+- missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files
+- you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically
+- if firewall logging is configured via policy settings, it can happen that
+  - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
+  - the log folder in a custom path doesn't exist
+  In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc
+
+If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existent folder is configured via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC.  
+
+```PowerShell
+New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
+```
+
+Verify if MpsSvc has *FullControl* on the folder and the files.
+From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
+```
+
+The output should show `NT SERVICE\mpssvc` having *FullControl*:
+
+```PowerShell
+IdentityReference      FileSystemRights AccessControlType IsInherited InheritanceFlags
+-----------------      ---------------- ----------------- ----------- ----------------
+NT AUTHORITY\SYSTEM         FullControl             Allow       False    ObjectInherit
+BUILTIN\Administrators      FullControl             Allow       False    ObjectInherit
+NT SERVICE\mpssvc           FullControl             Allow       False    ObjectInherit
+```
+
+If not, add *FullControl* permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path.
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+$ACL = get-acl -Path $LogPath
+$ACL.SetAccessRuleProtection($true, $false)
+$RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow")
+$ACL.AddAccessRule($RULE)
+```
+
+Restart the device to restart the Windows Defender Firewall Service.
+
+### Troubleshoot Slow Log Ingestion
 
-### Troubleshooting Slow Log Ingestion
 If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. 
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
index f5c4d18144..11638e864b 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
 ms.collection: 
   - highpri
   - tier3
+  - must-keep
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
index 7ccafddaa2..5751151190 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
 ms.collection: 
   - highpri
   - tier3
+  - must-keep
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
index 08c06d4796..a2cad4e58d 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
 ms.collection: 
   - highpri
   - tier3
+  - must-keep
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 874e99e9c0..49aee564d3 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
 ms.collection: 
   - highpri
   - tier3
+  - must-keep
 ms.topic: conceptual
 ms.date: 09/08/2021
 ---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
index 83418c0d85..af1b573655 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: windows-client
 ms.collection: 
   - highpri
   - tier3
+  - must-keep
 ms.topic: conceptual
 ms.date: 09/08/2021
 ---
diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 65b3843328..90f2ed2f75 100644
--- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -83,11 +83,11 @@ This section is an overview that describes different parts of the end-to-end sec
 
 | Number | Part of the solution | Description |
 | - | - | - |
-| **1** | Windows-based device | The first time a Windows-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows-based device with TPM can report health status at any time by using the Health Attestation Service available with all supported editions of Windows.|
-| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
+| **1** | Windows-based device | The first time a Windows-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Microsoft Entra ID and enrolled in MDM.<br/>A Windows-based device with TPM can report health status at any time by using the Health Attestation Service available with all supported editions of Windows.|
+| **2** | Identity provider | Microsoft Entra ID contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Microsoft Entra ID is more than a repository. Microsoft Entra ID is able to authenticate users and devices and can also authorize access to managed resources. Microsoft Entra ID has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
 | **3**|Mobile device management| Windows has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows.|
 | **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
-| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
+| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Microsoft Entra ID, or even VPN access.|
 
 The combination of Windows-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
 
@@ -613,7 +613,7 @@ Windows has an MDM client that ships as part of the operating system. This MDM c
 
 ### Third-party MDM server support
 
-Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+Third-party MDM servers can manage Windows by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 > [!NOTE]
 > MDM servers do not need to create or download a client to manage Windows. For more information, see [Mobile device management](/windows/client-management/mdm/).
@@ -628,70 +628,70 @@ For more information on how to manage Windows security and system settings with
 
 ### Conditional access control
 
-On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload.
+On most platforms, the Microsoft Entra device registration happens automatically during enrollment. The device states are written by the MDM solution into Microsoft Entra ID, and then read by Office 365 (or by any authorized Windows app that interacts with Microsoft Entra ID) the next time the client tries to access an Office 365 compatible workload.
 
 If the device isn't registered, the user will get a message with instructions on how to register (also known as enrolling). If the device isn't compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it.
 
-**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
+**Microsoft Entra ID** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
 
 :::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
 
 ### Office 365 conditional access control
 
-Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
+Microsoft Entra ID enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
 target groups.
 
-When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
+When a user requests access to an Office 365 service from a supported device platform, Microsoft Entra authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
 
-When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
+When a user enrolls, the device is registered with Microsoft Entra ID, and enrolled with a compatible MDM solution like Intune.
 
 > [!NOTE]
-> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post.
+> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Microsoft Entra ID and Intune are explained in the [Windows, Microsoft Entra ID And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post.
 
-When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
+When a user enrolls a device successfully, the device becomes trusted. Microsoft Entra ID provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
 
 The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy isn't met at the time of request for renewal.
 
-Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
+Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Microsoft Entra ID, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
 
 :::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png":::
 
 Clients that attempt to access Office 365 will be evaluated for the following properties:
 
 - Is the device managed by an MDM?
-- Is the device registered with Azure AD?
+- Is the device registered with Microsoft Entra ID?
 - Is the device compliant?
 
 To get to a compliant state, the Windows-based device needs to:
 
 - Enroll with an MDM solution.
-- Register with Azure AD.
+- Register with Microsoft Entra ID.
 - Be compliant with the device policies set by the MDM solution.
 
 > [!NOTE]
-> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows - Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
+> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Microsoft Entra ID, Microsoft Intune and Windows - Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
 
 ### Cloud and on-premises apps conditional access control
 
-Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
+Conditional access control is a powerful policy evaluation engine built into Microsoft Entra ID. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access.
 
-IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
+IT pros can configure conditional access control policies for cloud SaaS applications secured by Microsoft Entra ID and even on-premises applications. Access rules in Microsoft Entra ID use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
 
 For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
 
 > [!NOTE]
-> Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+> Conditional access control is a Microsoft Entra ID P1 or P2 feature that's also available with EMS. If you don't have a Microsoft Entra ID P1 or P2 subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
 
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
-- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
-- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+- For on-premises applications that are published through the Microsoft Entra application proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Microsoft Entra application proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
+- Additionally, Microsoft Entra Connect will sync device compliance information from Microsoft Entra ID to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
 :::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
 
-The following process describes how Azure AD conditional access works:
+The following process describes how Microsoft Entra Conditional Access works:
 
-1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
+1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Microsoft Entra ID.
 2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
 3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
 4. User logs on and the MDM agent contacts the Intune/MDM server.
@@ -700,13 +700,13 @@ The following process describes how Azure AD conditional access works:
 7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
 8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
 9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
-10. Intune/MDM server updates compliance state against device object in Azure AD.
+10. Intune/MDM server updates compliance state against device object in Microsoft Entra ID.
 11. User opens app, attempts to access a corporate managed asset.
-12. Access gated by compliance claim in Azure AD.
+12. Access gated by compliance claim in Microsoft Entra ID.
 13. If the device is compliant and the user is authorized, an access token is generated.
 14. User can access the corporate managed asset.
 
-For more information about Azure AD join, see [Azure AD & Windows: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper.
+For more information about Microsoft Entra join, see [Microsoft Entra ID & Windows: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper.
 
 Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment.
 
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index a16db47b99..38961897cb 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
 description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 08/11/2023
+ms.date: 09/25/2023
 ms.topic: conceptual
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2</a>
@@ -13,9 +13,10 @@ Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft
 
 If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:
 
-- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
+- If users type or paste their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
 - Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password.
 - Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+- If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.
 
 > [!NOTE]
 > When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
@@ -68,10 +69,11 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
 
 | Setting                 | OMA-URI                                                                   | Data type |
 |-------------------------|---------------------------------------------------------------------------|-----------|
-| **ServiceEnabled**      | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled`      | Integer   |
+| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer |
 | **NotifyMalicious**     | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious`     | Integer   |
 | **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer   |
 | **NotifyUnsafeApp**     | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp`     | Integer   |
+| **ServiceEnabled**      | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled`      | Integer   |
 
 ---
 
@@ -80,7 +82,6 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
 By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
 
 To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
-
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
 |Settings catalog element|Recommendation|
@@ -108,15 +109,19 @@ To better help you protect your organization, we recommend turning on and using
 |NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
 |NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
 
+
 ---
 
 ## Related articles
 
-- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
 - [WebThreatDefense CSP][WIN-1]
 - [Threat protection](index.md)
 
 <!-- Links -->
 
 [WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
+
 [MEM-2]: /mem/intune/configuration/settings-catalog
+
+
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index d34c1295ff..1cb3c7c91f 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -2,14 +2,14 @@
 title: Federal Information Processing Standard (FIPS) 140 Validation
 description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
 ms.prod: windows-client
-ms.date: 11/03/2022
+ms.date: 08/18/2023
 manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.collection: 
   - highpri
   - tier3
-ms.topic: article
+ms.topic: reference
 ms.localizationpriority: medium
 ms.reviewer: 
 ms.technology: itpro-security
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index c79a189b61..0f426874c2 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
 ms.author: sushmanemali
 author: s4sush
 manager: aaroncz
-ms.topic: article
+ms.topic: reference
 ms.localizationpriority: medium
 ms.date: 11/4/2022
 ms.reviewer: paoloma
@@ -278,10 +278,6 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 ### Windows Server 2003 Certificate Server
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
-- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
-- [Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
-- [User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
 
 ### Windows Rights Management Services
diff --git a/windows/security/security-foundations/index.md b/windows/security/security-foundations/index.md
index 52c893e6cb..0f47d591b2 100644
--- a/windows/security/security-foundations/index.md
+++ b/windows/security/security-foundations/index.md
@@ -1,7 +1,7 @@
 ---
 title: Windows security foundations
 description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 06/15/2023
 author: paolomatarazzo
 ms.author: paoloma
diff --git a/windows/security/security-foundations/msft-security-dev-lifecycle.md b/windows/security/security-foundations/msft-security-dev-lifecycle.md
index 4f96b191e4..99fc260eb9 100644
--- a/windows/security/security-foundations/msft-security-dev-lifecycle.md
+++ b/windows/security/security-foundations/msft-security-dev-lifecycle.md
@@ -4,13 +4,13 @@ description: Download the Microsoft Security Development Lifecycle white paper t
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.topic: article
+ms.topic: conceptual
 ms.date: 07/31/2023
 ---
 
 # Microsoft Security Development Lifecycle
 
-The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. 
+The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
 
 [:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl)
 
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
index 64696d3e5d..65cc2e9e7d 100644
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@@ -51,7 +51,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
 
 3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
 
-4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
+4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
 
 5. The attestation service does the following tasks:
 
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 81cfb68761..d4c07f3415 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -37,7 +37,7 @@ Access and Remote Access permissions to users and groups. We recommend that you
 
 -   Blank
 
-    This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
+   This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. To set a blank value, select "Define this policy setting" and leave the Security descriptor empty, then select OK.
 
 -   *User-defined input* of the SDDL representation of the groups and privileges
 
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 87337b86b8..1e3180694c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -41,7 +41,7 @@ The **Maximum password age** policy setting determines the period of time (in da
 Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
 
 > [!NOTE]
-> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Azure AD Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
+> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Microsoft Entra Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index ce5adb5c59..abc5d527cd 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -41,7 +41,7 @@ This policy isn't configured by default on domain-joined devices. This disableme
 -   **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship by using online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the sign-in peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes.
 
     > [!NOTE]
-    > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
+    > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a Microsoft Entra hybrid joined server to a Microsoft Entra joined Windows 10 device or a Microsoft Entra hybrid joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
 
 -   **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
 
@@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This disableme
 
 ### Best practices
 
-Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments.
+Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Microsoft Entra joined environments.
 
 ### Location
 
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Azure AD-joined devices, where they're signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. 
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate. 
 
 ### Countermeasure
 
@@ -85,7 +85,7 @@ Set this policy to *Disabled* or don't configure this security policy for *on-pr
 
 If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This disablement is a valid configuration in *on-premises only* environments. Some roles/features (such as Failover Clustering) don't utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
 
-If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. If this policy isn't enabled, remote connections to an Azure AD joined device won't work.
+If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Microsoft Entra ID and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. If this policy isn't enabled, remote connections to a Microsoft Entra joined device won't work.
 
 ### Fix/Remediation
 
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index a53ae544d8..39d6b0489e 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -108,7 +108,7 @@ For info about setting security policies, see [Configure security policy setting
 | [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. |
 | [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
 | [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
-| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
+| [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
 | [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
 | [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management, and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
 | [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. |
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2e144448b8..2bd556b46f 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,7 +11,7 @@
       href: windows-11-plan.md
     - name: Prepare for Windows 11
       href: windows-11-prepare.md
-    - name: Windows 11 temporary enterprise feature control
+    - name: Windows 11 enterprise feature control
       href: temporary-enterprise-feature-control.md      
     - name: What's new in Windows 11, version 22H2
       href: whats-new-windows-11-version-22h2.md
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 3943ef84fc..6b07079c0f 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -1,7 +1,7 @@
 ---
 title: Resources for deprecated features in the Windows client
 description: Resources and details for deprecated features in the Windows client.
-ms.date: 08/01/2023
+ms.date: 10/09/2023
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
@@ -21,6 +21,10 @@ appliesto:
 
 This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
 
+## VBScript
+
+VBScript will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before being retired in future Windows releases. Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript.
+ 
 ## TLS versions 1.0 and 1.1 disablement resources
 
 Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 are disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1.
@@ -69,11 +73,11 @@ Re-enabling TLS 1.0 or TLS 1.1 on machines should only be done as a last resort,
 
 The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters).  
 
-If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change will allow you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require additional assistance.
+If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change allows you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require more assistance.
 
 ### Redirected MSDT troubleshooters
 
-The following troubleshooters will automatically be redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**:
+The following troubleshooters are automatically redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**:
 
 - Background Intelligent Transfer Service (BITS)
 - Bluetooth
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 5d0649468d..75c9ea7697 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
 ---
 title: Deprecated features in the Windows client
-description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 08/01/2023
+description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
+ms.date: 10/18/2023
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
@@ -36,6 +36,10 @@ The features in this article are no longer being actively developed, and might b
 
 |Feature    |  Details and mitigation  | Deprecation announced |
 | ----------- | --------------------- | ---- |
+| Timeline for Microsoft Entra accounts <!--8396095--> | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
+| VBScript <!--7954828--> | VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
+| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt.  | September 1, 2023 |
+| AllJoyn |  Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity).  | August 17, 2023 |
 | TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| 
 | Cortana in Windows <!--7987543--> | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 | 
 | Microsoft Support Diagnostic Tool (MSDT) <!--6968128--> | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
@@ -49,6 +53,7 @@ The features in this article are no longer being actively developed, and might b
 | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
 | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
 | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
+| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September 2019 |
 | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
 | My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
 | Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. <br>&nbsp;<br>PSR was removed in Windows 11.| 1909 |
@@ -59,7 +64,6 @@ The features in this article are no longer being actively developed, and might b
 | Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
 |Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
 |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
-|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
 |[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
 |[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
 |Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
@@ -89,3 +93,4 @@ The features in this article are no longer being actively developed, and might b
 |`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|
 
 
+
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 036ef0bfa2..ec64e498bc 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -59,7 +59,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ],
       "searchScope": ["Windows 10"]
     },
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index b2c710d264..99cf0f87aa 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -208,14 +208,14 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi
 
 For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
 
-#### Windows Defender Credential Guard
+#### Credential Guard
 
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
 
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
 
 > [!NOTE]
-> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+> Credential Guard is available only to S mode devices or Enterprise and Education Editions.
 
 For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations).
 
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 48b3e3b651..c07ad692ea 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -74,7 +74,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 ### Virus and threat protection
 
-[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
 [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
   - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
   - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
@@ -149,9 +149,9 @@ Windows Hello enhancements include:
 
 ### Credential protection
 
-#### Windows Defender Credential Guard
+#### Credential Guard
 
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
 
 ### Privacy controls
 
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index b20be1c0ab..65ebf38755 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -1,6 +1,6 @@
 ---
-title: Temporary enterprise feature control in Windows 11
-description: Learn about the Windows 11 features behind temporary enterprise feature control.
+title: Enterprise feature control in Windows 11
+description: Learn about the Windows 11 features behind temporary enterprise feature control and permanent feature control.
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.author: mstewart
@@ -8,7 +8,7 @@ author: mestew
 manager: aaroncz
 ms.localizationpriority: medium
 ms.topic: reference
-ms.date: 05/19/2023
+ms.date: 09/26/2023
 ms.collection:
   - highpri
   - tier2
@@ -16,21 +16,20 @@ appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 and later</a>
 ---
 
-# Temporary enterprise feature control in Windows 11
+# Enterprise feature control in Windows 11
 <!--7790977-->
-New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features might be:
+
+- Temporarily turned off by default using [temporary enterprise feature control](#temporary-enterprise-feature-control)
+- Controlled by a policy that allows for [permanent enterprise feature control](#permanent-enterprise-feature-control)
+
+Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. For example, a feature might be turned off by default if it requires a change in user behavior or if it requires IT administrators to take action before the feature can be used.
+
+## Temporary enterprise feature control
 
 Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.
 
-## Windows 11 features behind temporary enterprise feature control
-
-The following features are behind temporary enterprise control in Windows 11:
-
-| Feature | KB article where the feature was introduced | Feature update that ends temporary control |
-|---|---|---|
-| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update |
-
-## Enable features behind temporary enterprise feature control
+### Enable features behind temporary enterprise feature control
 
 Features that are behind temporary enterprise control will be enabled when one of the following conditions is met:
 
@@ -38,7 +37,7 @@ Features that are behind temporary enterprise control will be enabled when one o
 - The device receives a policy that enables features behind temporary enterprise control
   - When the policy is enabled, all features on the device behind temporary control are turned on when the device next restarts.
 
-## Policy settings for temporary enterprise feature control
+### Policy settings for temporary enterprise feature control
 
 You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
 
@@ -46,3 +45,33 @@ You can use a policy to enable features that are behind temporary enterprise fea
 
 - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
    - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
+
+### Windows 11 features behind temporary enterprise feature control
+
+The following features are behind temporary enterprise control in Windows 11:
+
+| Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes |
+|---|---|---|---|
+| Touch-optimized taskbar for 2-in-1 devices <!--8092554, WIP.25197--> | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** <!--8092554, WIP.25300-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.<!--8092554, WIP.23511 & WIP.25281, AllowWindowsSpotlight-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control: </br></br> **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight)</br> </br>**Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
+| Copilot in Windows <!--8092554, WIP.23493 -->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
+| Dev Home <!--8092554, WIP.23506-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
+|Dev Drive <!--8092554, WIP.23466-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section | 
+
+## Permanent enterprise feature control
+
+New features and enhancements used to be introduced only in feature updates. However, with continuous innovation for Windows 11, new features are introduced more frequently through the monthly cumulative update. Some new features can be controlled through policies that enable you to configure them for your organization. When a feature can be controlled by a policy, it has permanent enterprise feature control.
+
+### Windows 11 features with permanent enterprise feature control
+
+The following features introduced through the monthly cumulative updates allow permanent enterprise feature control:
+
+| Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy |
+|---|---|---|---|
+| Configure search on the taskbar <!--8092554, WIP.25252-->| [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) </br> </br>**Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
+| The **Recommended** section of the **Start Menu** displays personalized website recommendations <!--8092554, WIP.23475-->|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start)</br> </br>**Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
+| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. <!--8092554, DisableGraphRecentItems, WIP.23475, WIP.23403-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) </br> </br> **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** </br> </br> **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
+| Transfer files to another PC using WiFi direct<!--8092554, WIP.23506-->|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
+| Copilot in Windows <!--8092554, WIP.23493 --> | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) </br> </br> **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+|Dev Drive <!--8092554, WIP.23466-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: </br> - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) </br> - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) </br> </br> **Group Policies**:  </br> - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** </br> - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 55b211215b..4f608c1dd6 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -80,7 +80,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c
 ## Security
 
 >[!NOTE]
->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall.
+>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall.
 
 **Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index b617d899f5..ad971e7d6a 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -141,11 +141,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just
 
 We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge).
 
-### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
+### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
 
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
 
-Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. 
+Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. 
 
 ### Windows 10 Pro S Mode requires a network connection
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index c0202f98fe..d40de13c9d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -41,9 +41,9 @@ If you're using Windows Update for Business, you'll receive the Windows 10, vers
 
 ## Security
 
-### Windows Defender Credential Guard
+### Credential Guard
 
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
 
 ### Microsoft BitLocker
 
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 37a10475d2..a433405b4e 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -25,7 +25,7 @@ This article lists new and updated features and content that is of interest to I
 
 As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. 
 
-To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, including a video, see [How to get the Windows 10 October 2020 Update](https://community.windows.com/videos/how-to-get-the-windows-10-october-2020-update/7c7_mWN0wi8). 
+To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**).
 
 ## Microsoft Edge
 
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 4e91dc9a19..b09c1ab588 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -50,9 +50,9 @@ For more information, see [Smart App Control](/windows/security/threat-protectio
 
 ## Credential Guard
 <!--6289166-->
-Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
+Compatible Windows 11 Enterprise version 22H2 devices will have **Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
 
-For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
+For more information, see [Manage Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
 
 ## Malicious and vulnerable driver blocking
 <!--6286432-->
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 90928f5742..2bab9205d6 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -152,7 +152,7 @@ For more information on the security features you can configure, manage, and enf
 
 - Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
 
-  You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
+  You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps).
 
   In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
 
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 6e9047c606..fb11714e70 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -19,7 +19,7 @@ appliesto:
 
 # Prepare for Windows 11
 
-Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
+Windows 10 and Windows 11 are designed to coexist so that you can use the same familiar tools and processes to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
 
 After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks.
 
@@ -32,7 +32,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil
 
 #### On-premises solutions
 
-- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new **Windows 11** product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
+- If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new Windows 11 product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
 
   > [!NOTE]
   > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
@@ -44,25 +44,25 @@ The tools that you use for core workloads during Windows 10 deployments can stil
 
 #### Cloud-based solutions
 
--	If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11). 
+-	If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great for moving to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically move devices between products (Windows 10 to **Windows 11**). 
     - If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. 
     - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. 
 
     - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. 
     - For example, if a device is running <i>Windows 10, version 2004</i> and only the target version is configured to 21H1, this device will be offered version <i>Windows 10, version 21H1</i>, even if multiple products have a 21H1 version.
 - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11, which is true regardless of which management tool you use to configure Windows Update for Business policies.
-- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
+- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify **Windows 11**.
 
   > [!NOTE]
   > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. 
 
 ## Cloud-based management
 
-If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy.  
+If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives while protecting user privacy.  
 
-The following are some common use cases and the corresponding Microsoft Intune capabilities that support them: 
+The following are some common use cases and the corresponding [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) capabilities that support them: 
 
-- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is new feature that is available when you use in Windows Autopilot to deploy Windows 11.
+- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Professional to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is a new feature that is available when you use in Windows Autopilot to deploy Windows 11.
 - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. 
 - **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Intune. 
 
@@ -74,7 +74,7 @@ Every organization will transition to Windows 11 at its own pace. Microsoft is c
 
 When you think of operating system updates as an ongoing process, you'll automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. 
 
-Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: 
+Next, craft a deployment plan for **Windows 11** that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: 
 - Preview (first or canary): Planning and development 
 - Limited (fast or early adopters): Pilot and validation 
 - Broad (users or critical): Wide deployment 
@@ -87,9 +87,9 @@ Review deployment-related policies, taking into consideration your organization'
 
 #### Validate apps and infrastructure
 
-To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt in to the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel).  
+To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt into the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel).  
 
-If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes:
+If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you can deploy directly from the Windows Insider Pre-release category using one of the following processes:
 
 - Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. 
 - Use Azure Virtual Desktop and Azure Marketplace images. 
@@ -119,7 +119,7 @@ At a high level, the tasks involved are:
 
 ## User readiness
 
-Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff for Windows 11:
 
 - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
 - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 3a56385d67..d6f384c4f5 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -7,7 +7,7 @@ ms.author: paoloma
 manager: aaroncz
 ms.collection:
 - tier2
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 05/04/2023
 appliesto:
 - ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
@@ -67,7 +67,7 @@ The following table describes the unique Windows Enterprise edition features:
 
 | OS-based feature | Description |
 |-|-|
-|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
+|**[Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
 |**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
 |**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |  
 |**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
@@ -135,13 +135,13 @@ In most cases, the Windows Pro edition comes pre-installed on a business-class d
 - A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
 - A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
 
-In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscription doesn't block these scenarios.
 
 The following table lists the Windows 11 Enterprise features and their Windows edition requirements:
 
 | OS-based feature |Windows Pro|Windows Enterprise|
 |-|-|-|
-|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
+|**[Credential Guard][WIN-1]**|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
 |**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
 |**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|