Merge branch 'sheshachary-5859198-3' of https://github.com/MicrosoftDocs/windows-docs-pr into sheshachary-5859198-3

CONTRIBUTING.md

@@ -2,104 +2,84 @@
 
 Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
 This page covers the basic steps for editing our technical documentation.
+For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/).
 
 ## Sign a CLA
 
-All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories. 
-If you've already edited within Microsoft repositories in the past, congratulations! 
+All contributors who are ***not*** a Microsoft employee or vendor must [sign a Microsoft Contributor License Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories.
+If you've already edited within Microsoft repositories in the past, congratulations!
 You've already completed this step.
 
 ## Editing topics
 
 We've tried to make editing an existing, public file as simple as possible.
 
->**Note**<br>
->At this time, only the English (en-us) content is available for editing.
+> **Note**<br>
+> At this time, only the English (en-us) content is available for editing. If you have suggestions for edits to localized content, file feedback on the article.
 
-**To edit a topic**
+### To edit a topic
 
-1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
+1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update.
 
-    ![GitHub Web, showing the Edit link.](images/contribute-link.png)
+    > **Note**<br>
+    > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).
 
-2. Log into (or sign up for) a GitHub account.
-    
-    You must have a GitHub account to get to the page that lets you edit a topic.
+1. Then select the **Pencil** icon.
 
-3. Click the **Pencil** icon (in the red box) to edit the content.
+    ![Microsoft Docs Web, showing the Edit This Document link.](images/contribute-link.png)
 
-    ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png)
+    If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs).
 
-4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
-    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
-    
-    - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) 
+    > **TIP**<br>
+    > View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article.
 
-5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
+1. In GitHub, select the **Pencil** icon to edit the article. If the pencil icon is grayed out, you need to either sign in to your GitHub account or create a new account.
 
-    ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png)
+    ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png)
 
-6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
+1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
 
-    ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png)
+1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
 
-    The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
+    ![GitHub Web, showing the Preview changes tab.](images/preview-changes.png)
 
-7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in.
+1. When you're finished editing, scroll to the bottom of the page. In the **Propose changes** area, enter a title and optionally a description for your changes. The title will be the first line of the commit message. Briefly state _what_ you changed. Select **Propose changes** to commit your changes:
+
+    ![GitHub Web, showing the Propose changes button.](images/propose-changes.png)
+
+1. The **Comparing changes** screen appears to show what the changes are between your fork and the original content. On the **Comparing changes** screen, you'll see if there are any problems with the file you're checking. If there are no problems, you'll see the message **Able to merge**.
 
-    If there are no problems, you’ll see the message, **Able to merge**.
-    
     ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png)
 
-8. Click **Create pull request**.
+     Select **Create pull request**. Next, enter a title and description to give the approver the appropriate context about _why_ you're suggesting this change. Make sure that only your changed files are in this pull request; otherwise, you could overwrite changes from other people.
 
-9. Enter a title and description to give the approver the appropriate context about what’s in the request.
+1. Select **Create pull request** again to actually submit the pull request.
 
-10. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
+    The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
 
-11. Click **Create pull request** again to actually submit the pull request.
-
-    The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
-
-    - [Windows 10](https://docs.microsoft.com/windows/windows-10)
-    
-    - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
-    
-    - [Surface](https://docs.microsoft.com/surface)
-    
-    - [Surface Hub](https://docs.microsoft.com/surface-hub)
-    
-    - [HoloLens](https://docs.microsoft.com/hololens)
-    
+    - [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/)
     - [Microsoft Store](https://docs.microsoft.com/microsoft-store)
-    
     - [Windows 10 for Education](https://docs.microsoft.com/education/windows)
-    
     - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
-    
-    - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
-    
-    - [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
-
+    - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/)
 
 ## Making more substantial changes
 
-To make substantial changes to an existing article, add or change images, or contribute a new article, you will need to create a local clone of the content. 
-For info about creating a fork or clone, see the GitHub help topic, [Fork a Repo](https://help.github.com/articles/fork-a-repo/).
+To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
+For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
 
-Fork the official repo into your personal GitHub account, and then clone the fork down to your local device.  Work locally, then push your changes back into your fork.  Then open a pull request back to the master branch of the official repo.
+Fork the official repo into your personal GitHub account, and then clone the fork down to your local device.  Work locally, then push your changes back into your fork.  Finally, open a pull request back to the main branch of the official repo.
 
 ## Using issues to provide feedback on documentation
 
 If you just want to provide feedback rather than directly modifying actual documentation pages, you can create an issue in the repository.
 
-At the top of a topic page you'll see an **Issues** tab. Click the tab and then click the **New issue** button. 
+At the top of an article, you'll see a feedback icon. Select the icon to go to the **Feedback** section at the bottom of the article. Then select **This page** to file feedback for the current article.
 
-Be sure to include the topic title and the URL for the page you're submitting the issue for, if that page is different from the page you launched the **New issue** dialog from.  
+In the new issue form, enter a brief title. In the body of the form, describe the concern, but don't modify the **Document Details** section. You can use markdown in this form. When you're ready, select **Submit new issue**.
 
 ## Resources
 
-You can use your favorite text editor to edit Markdown.  We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
-
-You can learn the basics of Markdown in just a few minutes.  To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
-
+- You can use your favorite text editor to edit Markdown files.  We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
+- You can learn the basics of Markdown in just a few minutes.  To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
+- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).

smb/cloud-mode-business-setup.md

@@ -574,7 +574,7 @@ See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn
 To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
 - [Set up Office 365 for business](/microsoft-365/admin/setup)
 - Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/)
-- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/)
+- More info about managing devices, apps, data, troubleshooting, and more in the [Intune documentation](/mem/intune/)
 - Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
 - Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/)
 

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -8361,9 +8361,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
   <dd>
     <a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
-  </dd>
   <dd>
     <a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
   </dd>

windows/client-management/mdm/policy-csp-accounts.md

@@ -34,6 +34,9 @@ manager: dansimp
   <dd>
     <a href="#accounts-domainnamesforemailsync">Accounts/DomainNamesForEmailSync</a>
   </dd>
+  <dd>
+    <a href="#accounts-restricttoenterprisedeviceauthenticationonly">Accounts/RestrictToEnterpriseDeviceAuthenticationOnly</a>
+  </dd>
 </dl>
 
 
@@ -207,6 +210,48 @@ The following list shows the supported values:
 <!--/Policy-->
 
 <hr/>
+
+<!--Policy-->
+<a href="" id="accounts-restricttoenterprisedeviceauthenticationonly"></a>**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 11, version 22H2. This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, we only allow device authentication and block user authentication.
+
+Most restricted value is 1.
+
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) - Allow both device and user authentication.
+-   1 - Only allow device authentication. Block user authentication.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+<hr/>
+
 <!--/Policies-->
 
 <!--/Policies-->

windows/client-management/mdm/policy-csp-controlpolicyconflict.md

@@ -32,6 +32,14 @@ manager: dansimp
 <!--Policy-->
 <a href="" id="controlpolicyconflict-mdmwinsovergp"></a>**ControlPolicyConflict/MDMWinsOverGP**  
 
+> [!NOTE]
+> This setting doesn't apply to the following types of group policies:
+>
+> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies.
+> - If they aren't defined by an ADMX. For example, Password policy - minimum password age.
+> - If they're in the Windows Update category.
+> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy.
+
 <!--SupportedSKUs-->
 
 |Edition|Windows 10|Windows 11|
@@ -58,9 +66,6 @@ manager: dansimp
 <!--Description-->
 This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
 
-> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
-
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
 
 > [!NOTE]

windows/client-management/mdm/policy-csp-search.md

@@ -14,6 +14,7 @@ manager: dansimp
 
 # Policy CSP - Search
 
+
 <hr/>
 
 <!--Policies-->
@@ -56,9 +57,6 @@ manager: dansimp
   <dd>
     <a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
   </dd>
-  <dd>
-    <a href="#search-disablesearch">Search/DisableSearch</a>
-  </dd>
   <dd>
     <a href="#search-donotusewebresults">Search/DoNotUseWebResults</a>
   </dd>
@@ -630,57 +628,6 @@ The following list shows the supported values:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="search-disablesearch"></a>**Search/DisableSearch**  
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
-
-It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:  
-
--   GP Friendly name: *Fully disable Search UI*
--   GP name: *DisableSearch*
--   GP path: *Windows Components/Search*
--   GP ADMX file name: *Search.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 (default) – Do not disable search.
--   1 – Disable search.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="search-donotusewebresults"></a>**Search/DoNotUseWebResults**  
 
@@ -813,7 +760,7 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
 
 <!--/Description-->
 <!--ADMXMapped-->

windows/configuration/lock-down-windows-10-to-specific-apps.md

@@ -404,7 +404,7 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
   </Config>
   ```
 
-- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in.
+- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
 
   ```xml
   <Config>
@@ -544,43 +544,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 ### Apply provisioning package to device
 
-Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
-
->[!TIP]
->In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
-
-#### During initial setup, from a USB drive
-
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
-    ![The first screen to set up a new PC.](images/oobe.jpg)
-
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
-
-    ![Set up device?](images/setupmsg.jpg)
-
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-
-    ![Provision this device.](images/prov.jpg)
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
-
-    ![Choose a package.](images/choose-package.png)
-
-5. Select **Yes, add it**.
-
-    ![Do you trust this package?](images/trust-package.png)
-
-#### After setup, from a USB drive, network folder, or SharePoint site
-
-1. Sign in with an admin account.
-2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
 
 > [!NOTE]
 > If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
 
-![Add a package option.](images/package.png)
-
 ### Use MDM to deploy the multi-app configuration
 
 Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.

windows/configuration/provisioning-packages/provisioning-apply-package.md

@@ -1,6 +1,6 @@
 ---
 title: Apply a provisioning package (Windows 10/11)
-description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
+description: Provisioning packages can be applied to a device during initial setup (OOBE) and after ("runtime").
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -20,40 +20,82 @@ manager: dougeby
 -   Windows 10
 -   Windows 11
 
-Provisioning packages can be applied to client devices during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime").
 
->[!NOTE]
+> [!NOTE]
 >
 > - Applying a provisioning package to a desktop device requires administrator privileges on the device.
 > - You can interrupt a long-running provisioning process by pressing ESC.
 
-## During initial setup, from a USB drive
+> [!TIP]
+> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
 
-1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+## During initial setup
 
-    ![The first screen to set up a new PC.](../images/oobe.jpg)
+To apply a provisioning package from a USB drive during initial setup:
 
-2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**.
 
-    ![Set up device?](../images/setupmsg.jpg)
+   :::image type="content" source="../images/oobe.png" alt-text="The first screen when setting up a new PC.":::
 
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and select **Next**.
+2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
 
-    ![Provision this device.](../images/prov.jpg)
+   - If there is only one provisioning package on the USB drive, the provisioning package is applied. See step 5.
+   - If there is more than one provisioning package on the USB drive, Windows setup will recognize the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**.
 
-4. Select the provisioning package (`.ppkg`) that you want to apply, and select **Next**.
+   :::image type="content" source="../images/provisioning-oobe-choice.png" alt-text="What would you like to do?":::
 
-    ![Choose a package.](../images/choose-package.png)
+3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**.
 
-5. Select **Yes, add it**.
+    :::image type="content" source="../images/provisioning-oobe-choose-package.png" alt-text="Choose a package.":::
 
-    ![Do you trust this package?](../images/trust-package.png)
+4. The selected provisioning package will install and apply to the device.
 
-## After setup, from a USB drive, network folder, or SharePoint site
+   :::image type="content" source="../images/provisioning-oobe-installing.png" alt-text="Setting up your PC.":::
 
-Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
+5. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device.
 
-![add a package option.](../images/package.png)
+## After initial setup
+
+Provisioning packages can be applied after initial setup through Windows settings or by simply double-clicking a provisioning package.
+
+### Windows Settings
+
+1. Insert the USB drive, then navigate to **Settings** > **Accounts** > [**Access work or school**](ms-settings:workplace) > **Add or remove a provisioning package** > **Add a package**.
+
+   :::image type="content" source="../images/provisioning-runtime-manage-packages.png" alt-text="Add or remove a provisioning package.":::
+
+2. Choose the method you want to use, such as **Removable Media**.
+
+   :::image type="content" source="../images/provisioning-runtime-choose-package.png" alt-text="Choose a method.":::
+
+3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**.
+
+   :::image type="content" source="../images/provisioning-runtime-add-package.png" alt-text="Select and add a package.":::
+
+4. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
+
+   :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
+
+5. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
+
+   :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::
+
+### Apply Directly
+
+To apply a provisioning package directly, such as from a USB drive, folder, network, or SharePoint site:
+
+1. Navigate to the provisioning package and double-click it to begin the installation.
+
+   :::image type="content" source="../images/provisioning-runtime-click-to-install.png" alt-text="Double-click package to being installation.":::
+
+2. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
+
+   :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
+
+3. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
+
+   :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::
 
 ## Related articles
 

windows/configuration/set-up-shared-or-guest-pc.md

@@ -65,7 +65,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
 |:---|:---|
 | EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) </br></br>Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.  |
 | AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. <br/><br/>Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC. <br/><br/>  - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/>  - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>-   **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/><br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. <br/>- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold**  |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/><br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign-off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. <br/>- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold**  |
 | AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.   |
 | AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.   |
 | AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted.   | 
@@ -85,7 +85,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
 
 You can configure Windows to be in shared PC mode in a couple different ways:
 
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps:
 
   1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
   
@@ -185,30 +185,7 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 
 ### Apply the provisioning package
 
-You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
-
-**During initial setup**
-
-1. Start with a PC on the setup screen. 
-
-    ![The first screen to set up a new PC.](images/oobe.jpg)
-
-2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
-
-   - If there is only one provisioning package on the USB drive, the provisioning package is applied.
-    
-   - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install. 
-
-     ![Set up device?](images/setupmsg.jpg)
-
-3. Complete the setup process.
-
-    
-**After setup**
-
-On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. 
-
-![add a package option.](images/package.png)
+Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
 
 > [!NOTE]
 > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
@@ -217,7 +194,7 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
 
 * We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
 
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
+* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out.
 * On a Windows PC joined to Azure Active Directory:
     * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
     * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.

windows/deployment/planning/windows-10-deprecated-features.md

@@ -1,21 +1,22 @@
 ---
 title: Windows 10 features we're no longer developing
-description: Review the list of features that are no longer being developed in Windows 10
+description: Review the list of features that are no longer being developed in Windows 10.
 ms.prod: w10
-ms.mktglfcycl: plan
+ms.technology: windows
 ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
+ms.reviewer: 
 ms.topic: article
 ms.collection: highpri
 ---
 
 # Windows 10 features we're no longer developing
 
-> Applies to: Windows 10
+_Applies to:_
+
+- Windows 10
 
 Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md).
 
@@ -25,38 +26,38 @@ The features described below are no longer being actively developed, and might b
 
 **The following list is subject to change and might not include every affected feature or functionality.**
 
-> [!NOTE] 
-> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). 
+> [!NOTE]
+> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
 
 |Feature    |  Details and mitigation  | Announced in version |
 | ----------- | --------------------- | ---- |
-| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files  | 21H1 |
+| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files  | 21H1 |
 | Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
 | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
-| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
-| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
+| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself isn't affected. | 21H1 |
+| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you can't upload new activity in Timeline. For more information, see [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
 | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
 | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
 | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
 | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
 | My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
 | Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. <br>&nbsp;<br>PSR was removed in Windows 11.| 1909 |
-| XDDM-based remote display driver  | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
+| XDDM-based remote display driver  | The Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
 | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
-| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
-| Windows To Go | Windows To Go is no longer being developed. <br><br>The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|  1903 |
-| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
-|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
+| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
+| Windows To Go | Windows To Go is no longer being developed. <br><br>The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|  1903 |
+| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
 |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
-|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
+|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
 |[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
 |[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
-|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
+|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
 |MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 |
 |Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](/previous-versions/windows/desktop/wincontacts/-wincontacts-entry-point). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
 |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
-|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
-|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
+|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803. The Direct Tunnels feature has always been disabled by default. Use native IPv6 support instead.| 1803 |
+|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers haven't been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to reinstall them after upgrading.| 1803 |
 |Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**<br>&nbsp;<br>The [Scan Management functionality](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
 |IIS 6 Management Compatibility*  | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
 |IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
@@ -64,15 +65,15 @@ The features described below are no longer being actively developed, and might b
 |Screen saver functionality in Themes   | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
 |Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
 |System Image Backup (SIB) Solution  | We recommend that users use full-disk backup solutions from other vendors. | 1709 |
-|TLS RC4 Ciphers  |To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
+|TLS RC4 Ciphers  |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
 |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
 |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management  | To be replaced by a new user interface in a future release. | 1709 |
 |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
-|Windows Hello for Business deployment that uses Microsoft Endpoint Manager   |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows Hello for Business deployment that uses Microsoft Endpoint Manager   |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
 |Windows PowerShell 2.0  | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
-|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
+|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
 |Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
 |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
 |TCPChimney | TCP Chimney Offload is no longer being developed.  See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
-|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019 as well.|
+|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 |
+|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|

windows/docfx.json

@@ -1,44 +0,0 @@
-{
-  "build": {
-    "content":
-      [
-        {
-          "files": ["**/**.md", "**/**.yml"],
-          "exclude": ["**/obj/**"]
-        }
-      ],
-    "resource": [
-        {
-          "files": ["**/images/**", "**/*.pdf", "**/*.bmp"],
-          "exclude": ["**/obj/**"]
-        }
-    ],
-    "globalMetadata": {
-      "recommendations": true,
-        "ROBOTS": "INDEX, FOLLOW",
-        "audience": "ITPro",
-        "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
-        "uhfHeaderId": "MSDocsHeader-M365-IT",
-    		"_op_documentIdPathDepotMapping": {
-    			"./": {
-    			  "depot_name": "Win.windows"
-          }
-        },
-      "contributors_to_exclude": [ 
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
-        "claydetels19", 
-        "Kellylorenebaker",
-        "jborsecnik",
-        "tiburd",
-        "garycentric"
-     ]
-    },
-    "externalReference": [
-    ],
-    "template": "op.html",
-    "dest": "windows",
-    "markdownEngineName": "dfm"
-  }
-}

windows/security/identity-protection/hello-for-business/passwordless-strategy.md

@@ -1,136 +1,150 @@
 ---
-title: Passwordless Strategy
+title: Password-less strategy
 description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
 ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
 author: GitPrakhar13
 ms.author: prsriva
 manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/20/2018
 ms.reviewer:
+ms.collection: M365-identity-device-management
+ms.topic: conceptual
+localizationpriority: medium
+ms.date: 05/24/2022
 ---
-# Passwordless Strategy
+
+# Password-less strategy
+
+This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
 
 ## Four steps to password freedom
 
-Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom.
-![Passwordless approach.](images/four-steps-passwordless.png)
+Over the past few years, Microsoft has continued their commitment to enabling a world without passwords.
 
+:::image type="content" source="images/passwordless/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps.":::
 
 ### 1. Develop a password replacement offering
+
 Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
 
-Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
+Deploying Windows Hello for Business is the first step towards a password-less environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
 
 ### 2. Reduce user-visible password surface area
-With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
 
-### 3. Transition into a passwordless deployment
-Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where:
-- the users never type their password
-- the users never change their password
-- the users do not know their password
+With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
+
+### 3. Transition into a password-less deployment
+
+Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where:
+
+- The users never type their password.
+- The users never change their password.
+- The users don't know their password.
 
 In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
 
 ### 4. Eliminate passwords from the identity directory
-The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment.
+
+The final step of the password-less story is where passwords simply don't exist. At this step, identity directories no longer persist any form of the password. This stage is where Microsoft achieves the long-term security promise of a truly password-less environment.
 
 ## Methodology
-Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords.  But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations.
 
-### Prepare for the Journey
-The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey.
+Four steps to password freedom provide an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a password-less environment, but can easily become overwhelmed by any of the steps. You aren't alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here's one recommendation based on several years of research, investigation, and customer conversations.
+
+### Prepare for the journey
+
+The road to being password-less is a journey. The duration of that journey varies for each organization. It's important for IT decision-makers to understand the criteria influencing the length of that journey.
+
+The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the following components:
 
-The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the:
 - Number of departments
 - Organization or department hierarchy
 - Number and type of applications and services
 - Number of work personas
-
 - Organization's IT structure
 
 #### Number of departments
-The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly, while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well.
 
-You need to know all the departments within your organization and you need to know which departments use computers and which ones do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable.
+The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and others such as research and development or support. Small organizations may not explicitly segment their departments, while larger ones may. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well.
 
-Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy.
+You need to know all the departments within your organization and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you've assessed that it's not applicable.
+
+Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy.
 
 #### Organization or department hierarchy
-Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.
+
+Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.
 
 #### Number and type of applications and services
-The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
 
-Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications.
+Most organizations have many applications and rarely do they have one centralized list that's accurate. Applications and services are the most critical items in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
+
+Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications.
 
 #### Number of work personas
-Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona.
 
-A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name.
+Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona.
+
+A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you'll have many work personas. These work personas will become units of work, and you'll refer to them in documentation and in meetings. You need to give them a name.
 
 Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona.
 
-Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person who is in that department and who uses that specific software.
+Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software.
 
 #### Organization's IT structure
-IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded.
 
-#### Assess your Organization
-You have a ton of information. You have created your work personas, you have identified your stakeholders throughout the different IT groups. Now what?
+IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there's a password-less stakeholder on each of these teams, and that the effort is understood and funded.
 
-By now you can see why it is a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you have identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it is only a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project which must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity.
+#### Assess your organization
 
-How long does it take to become passwordless?  The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they have agreed on the strategy). Those resources will:
-- work through the work personas
-- organize and deploy user acceptance testing
-- evaluate user acceptance testing results for user-visible password surfaces
-- work with stakeholders to create solutions that mitigate user-visible password surfaces
-- add the solution to the project backlog and prioritize against other projects
-- deploy the solution
-- perform user acceptance testing to confirm that the solution mitigates the user-visible password surface
-- repeat the testing as needed
+You have a ton of information. You've created your work personas, you've identified your stakeholders throughout the different IT groups. Now what?
 
-Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state.
+By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces may exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity.
+
+How long does it take to become password-less?  The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that a password-less environment is the organization's goal makes conversations much easier. Easier conversations mean less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they've agreed on the strategy). Those resources will:
+
+- Work through the work personas.
+- Organize and deploy user acceptance testing.
+- Evaluate user acceptance testing results for user visible password surfaces.
+- Work with stakeholders to create solutions that mitigate user visible password surfaces.
+- Add the solution to the project backlog and prioritize against other projects.
+- Deploy the solution.
+- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface.
+- Repeat the testing as needed.
+
+Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it's likely that to go password-less tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a password-less state.
 
 ### Where to start?
-What is the best guidance for kicking off the journey to password freedom? You will want to show your management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused.
+
+What's the best guidance for kicking off the journey to password freedom? You'll want to show your management a proof of concept as soon as possible. Ideally, you want to show it at each step of your password-less journey. Keeping your password-less strategy top of mind and showing consistent progress keeps everyone focused.
 
 #### Work persona
-You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the steps to password freedom.
+
+You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you'll enable so that you can climb the steps to password freedom.
 
 > [!IMPORTANT]
-> Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
+> Avoid using any work personas from your IT department. This method is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
 
-Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot.
+Review your collection of work personas. Early in your password-less journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept or pilot.
 
-Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of the targeted work persona.
+Most organizations host their proof of concept in a test lab or environment. If you do that test with a password-free strategy, it may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona.
 
-You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline.
+You'll want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline.
 
-## The Process
+## The process
 
 The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this:
 
-1. Passwordless replacement offering (Step 1)
+1. Password-less replacement offering (step 1)
    1. Identify test users representing the targeted work persona.
    2. Deploy Windows Hello for Business to test users.
    3. Validate that passwords and Windows Hello for Business work.
-2. Reduce User-visible Password Surface (Step 2)
+2. Reduce user-visible password surface (step 2)
    1. Survey test user workflow for password usage.
    2. Identify password usage and plan, develop, and deploy password mitigations.
    3. Repeat until all user password usage is mitigated.
    4. Remove password capabilities from Windows.
    5. Validate that **none of the workflows** need passwords.
-3. Transition into a passwordless scenario (Step 3)
+3. Transition into a password-less scenario (step 3)
    1. Awareness campaign and user education.
    2. Include remaining users who fit the work persona.
    3. Validate that **none of the users** of the work personas need passwords.
@@ -138,159 +152,198 @@ The journey to password freedom is to take each work persona through each step o
 
 After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
 
-### Passwordless replacement offering (Step 1)
+### Password-less replacement offering (step 1)
+
 The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
 
 #### Identify test users that represent the targeted work persona
-A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
+
+A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
 
 #### Deploy Windows Hello for Business to test users
-Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
 
-With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment.
+Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
+
+With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment.
 
 > [!NOTE]
 > There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
 
 #### Validate that passwords and Windows Hello for Business work
+
 In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
 
-### Reduce User-visible Password Surface (Step 2)
-Before you move to step 2, ensure you have:
-- selected your targeted work persona.
-- identified your test users who represent the targeted work persona.
-- deployed Windows Hello for Business to test users.
-- validated passwords and Windows Hello for Business both work for the test users.
+### Reduce user-visible password surface (step 2)
+
+Before you move to step 2, make sure you've:
+
+- Selected your targeted work persona.
+- Identified your test users who represent the targeted work persona.
+- Deployed Windows Hello for Business to test users.
+- Validated passwords and Windows Hello for Business both work for the test users.
 
 #### Survey test user workflow for password usage
-Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as you further your progress through step 2.
 
-Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
-- What is the name of the application that asked for a password?.
-- Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?).
-- What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.).
-- How frequently do you use this application in a given day? week?
+Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2.
+
+Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions:
+
+- What's the name of the application that asked for a password?
+- Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?
+- What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."
+- How frequently do you use this application in a given day or week?
 - Is the password you type into the application the same as the password you use to sign-in to Windows?
 
-Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless.
+Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being password-less.
 
 #### Identify password usage and plan, develop, and deploy password mitigations
-Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password.
 
-Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it is policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
+Your test users have provided you valuable information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password.
+
+Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it's policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
+
+Keep in mind your test users won't uncover all scenarios. Some scenarios you'll need to force on your users because they're low percentage scenarios. Remember to include the following scenarios:
 
-Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like:
 - Provisioning a new brand new user without a password.
 - Users who forget the PIN or other remediation flows when the strong credential is unusable.
 
-Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization.
+Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice will certainly vary by organization.
 
 Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
 
-Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
+Mitigating password usage with applications is one of the more challenging obstacles in the password-less journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
 
 The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
 
-Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
+Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
 
 #### Repeat until all user password usage is mitigated
-Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance.
+
+Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you've closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance.
 
 #### Remove password capabilities from Windows
-You believe you have mitigated all the password usage for the targeted work persona. Now comes the true test - configure Windows so the user cannot use a password.
+
+You believe you've mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password.
 
 Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
 
-##### Security Policy
+##### Security policy
+
 You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**.  The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-![securityPolicyLocation.](images/passwordless/00-securityPolicy.png)
+
+:::image type="content" source="images/passwordless/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node.":::
 
 **Windows Server 2016 and earlier**
 The policy name for these operating systems is **Interactive logon: Require smart card**.
-![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png)
+
+:::image type="content" source="images/passwordless/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'.":::
 
 **Windows 10, version 1703 or later using Remote Server Administrator Tools**
 The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png)
+
+:::image type="content" source="images/passwordless/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'.":::
 
 When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
 
 #### Excluding the password credential provider
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
-![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png)
 
-The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
-![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png)
+You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**:
 
-Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
+:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
+
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`.
+
+:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
+
+Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
 
 #### Validate that none of the workflows needs passwords
-This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well.
 
-### Transition into a passwordless deployment (Step 3)
-Congratulations!  You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success.
+This stage is the significant moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users won't be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well.
+
+### Transition into a password-less deployment (step 3)
+
+Congratulations! You're ready to transition one or more portions of your organization to a password-less deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success.
 
 #### Awareness and user education
-In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this, you want to invest in an awareness campaign.
+
+In this last step, you're going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this step, you want to invest in an awareness campaign.
 
 An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain  the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience.
 
 #### Including remaining users that fit the work persona
-You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment.
+
+You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being password-less. Add the remaining users that match the targeted work persona to your deployment.
 
 #### Validate that none of the users of the work personas needs passwords
-You have successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they do not encounter any issues while working in a passwordless environment.
 
-Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are:
+You've successfully transitioned all users for the targeted work persona to being password-less. Monitor the users within the work persona to ensure they don't encounter any issues while working in a password-less environment.
+
+Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions:
+
 - Is the reporting user performing a task outside the work persona?
 - Is the reported issue affecting the entire work persona, or only specific users?
 - Is the outage a result of a misconfiguration?
-- Is the outage a overlooked gap from step 2?
+- Is the outage an overlooked gap from step 2?
 
 Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process.
 
-Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal, but do not let this slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
+Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming password-less. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it.
 
-#### Configure user accounts to disallow password authentication.
-You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
+#### Configure user accounts to disallow password authentication
+
+You transitioned all the users for the targeted work persona to a password-less environment and you've successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
 
 You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object.
 
-The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL).
+The account options on a user account include the option **Smart card is required for interactive logon**, also known as SCRIL.
 
 > [!NOTE]
 > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
 
-![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png)
-**SCRIL setting for a user on Active Directory Users and Computers.**
+The following image shows the SCRIL setting for a user in Active Directory Users and Computers:
 
-When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
-- they do not know their password.
-- their password is 128 random bits of data and is likely to include non-typable characters.
-- the user is not asked to change their password
-- domain controllers do not allow passwords for interactive authentication
+:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
 
-![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png)
-**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
+When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because:
+
+- They don't know their password.
+- Their password is 128 random bits of data and is likely to include non-typable characters.
+- The user isn't asked to change their password.
+- Domain controllers don't allow passwords for interactive authentication.
+
+The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012:
+
+:::image type="content" source="images/passwordless/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting.":::
 
 > [!NOTE]
-> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
+> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration:
+>
+> 1. Disable the setting.
+> 1. Save changes.
+> 1. Enable the setting.
+> 1. Save changes again.
+>
+> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you.
 
-![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png)
-**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
+The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016:
 
-> [!NOTE]
+:::image type="content" source="images/passwordless/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting.":::
+
+> [!TIP]
 > Windows Hello for Business was formerly known as Microsoft Passport.
 
 ##### Automatic password change for SCRIL configured users
-Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
 
-In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages.
-![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png)
+Domains configured for Windows Server 2016 or later domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
+
+In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages.
+
+:::image type="content" source="images/passwordless/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL.":::
 
 > [!NOTE]
 > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
 
-## The Road Ahead
-The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a passwordless future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).
+## The road ahead
 
+The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).

windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md

@@ -1,38 +1,36 @@
 ---
-title: BitLocker Network Unlock known issues
-description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
-ms.reviewer: kaushika
+title: BitLocker network unlock known issues
+description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues.
 ms.technology: windows-sec
 ms.prod: m365-security
-ms.sitesec: library
 ms.localizationpriority: medium
 author: Teresa-Motiv
 ms.author: v-tappelgate
 manager: kaushika
-audience: ITPro
+ms.reviewer: kaushika
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
 ms.custom: bitlocker
 ---
 
-# BitLocker Network Unlock: known issues
+# BitLocker network unlock: known issues
 
-By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
+By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements:
 
-- Each computer belongs to a domain
-- Each computer has a wired connection to the corporate network
-- The corporate network uses DHCP to manage IP addresses
-- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
+- Each computer belongs to a domain.
+- Each computer has a wired connection to the internal network.
+- The internal network uses DHCP to manage IP addresses.
+- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
 
-For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
+For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
 
-This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues.
+This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues.
 
-## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer
+## Tip: Detect whether BitLocker network unlock is enabled on a specific computer
 
-You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands.
+You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands.
 
-1. Open an elevated Command Prompt window and run the following command:
+1. Open an elevated command prompt window and run the following command:
 
    ```cmd
    manage-bde -protectors -get <Drive>
@@ -42,51 +40,51 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy
    manage-bde -protectors -get C:
    ```
 
-   where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive.
-   If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
+   Where `<Drive>` is the drive letter, followed by a colon (`:`), of the bootable drive.
+   If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock.
 
 1. Start Registry Editor, and verify the following settings:
-   - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1**
-   - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1.
+   - Entry `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP` is set to `1`.
+   - Subkey `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1.
 
-## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured
+## 1. On a Surface Pro 4 device, BitLocker network unlock doesn't work because the UEFI network stack is incorrectly configured
 
-You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.  
+You've configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You've configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.  
 
-You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
+You test another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
 
-### Cause
+### Cause of issue 1
 
-The UEFI network stack on the device was incorrectly configured.
+The UEFI network stack on the device was incorrectly configured.
 
-### Resolution
+### Resolution for issue 1
 
 To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
 
 > [!NOTE]
-> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option.
+> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option.
 
-## Unable to use BitLocker Network Unlock feature on a Windows client computer
+## 2. Unable to use BitLocker network unlock feature on a Windows client computer
 
-You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.  
+You have configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8 client computer that is connected to the internal network with an ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.
 
-### Cause
+### Cause of issue 2
 
-A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
+A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
 
-DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
+DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
 
 The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
 
-- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.  
-- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request.
+- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
+- The third message that the BitLocker network unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
 
-A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
+A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
 
-If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
+If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
 
-For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence)
+For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable network unlock: network unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
 
-### Resolution
+### Resolution for issue 2
 
 To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/05/2019
+ms.date: 05/25/2022
 ms.reviewer: 
 ---
 
@@ -26,7 +26,7 @@ This list provides all of the tasks and settings that are required for the opera
 
 |Task|Description|
 |----|-----------|
-|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
+|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
 |Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
 |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
 |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|

windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml

@@ -1,22 +1,17 @@
 ### YamlMime:FAQ
 metadata:
   title: Advanced security auditing FAQ (Windows 10)
-  description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
-  ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
-  ms.reviewer: 
-  ms.author: dansimp
+  description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
   ms.prod: m365-security
-  ms.mktglfcycl: deploy
-  ms.sitesec: library
-  ms.pagetype: security
+  ms.technology: mde
   ms.localizationpriority: none
   author: dansimp
+  ms.author: dansimp
   manager: dansimp
-  audience: ITPro
+  ms.reviewer: 
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 11/10/2021
-  ms.technology: mde
+  ms.date: 05/24/2022
 
 title: Advanced security auditing FAQ
 
@@ -35,36 +30,37 @@ sections:
       - question: |
           What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
         answer: |
-          The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
+          The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
           
-          There are a number of additional differences between the security audit policy settings in these two locations.
+          There are several other differences between the security audit policy settings in these two locations.
           
           There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
-          Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
+          Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking.
           
-          In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
+          In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
           
-          The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
+          The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows.
           
       - question: |
           What is the interaction between basic audit policy settings and advanced audit policy settings?
         answer: |
-          Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
+          Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
           
-          Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
+          Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied.
           
-          > **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
+          > [!Important]
+          > Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
           
-          If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
-           
+          If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
+           
       - question: |
-          How are audit settings merged by Group Policy?
+          How are audit settings merged by group policy?
         answer: |
           By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
           
-          For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
+          For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing.
           
-          The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
+          The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
           
           
           | Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
@@ -76,74 +72,68 @@ sections:
       - question: |
           What is the difference between an object DACL and an object SACL?
         answer: |
-          All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
+          All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
           
           -   A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
           -   A system access control list (SACL) that controls how access is audited
           
           The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
           
-          If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
+          If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
           
       - question: |
           Why are audit policies applied on a per-computer basis rather than per user?
         answer: |
           In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
           
-          In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
+          Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
           
-          However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
+          However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
           
       - question: |
-          What are the differences in auditing functionality between versions of Windows?
+          Are there any differences in auditing functionality between versions of Windows?
         answer: |
-          Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
-
-      - question: |
-          Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
-        answer: |
-          To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
+          No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings.
 
       - question: |
           What is the difference between success and failure events? Is something wrong if I get a failure audit?
         answer: |
           A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
           
-          A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
+          A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully.
           
-          The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
+          The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
           
       - question: |
           How can I set an audit policy that affects all objects on a computer?
         answer: |
           System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
-          Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
+
+          Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
           
       - question: |
           How do I figure out why someone was able to access a resource?
         answer: |
-          Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
+          Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
 
       - question: |
           How do I know when changes are made to access control settings, by whom, and what the changes were?
         answer: |
-          To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
+          To track access control changes, you need to enable the following settings, which track changes to DACLs:
           -   **Audit File System** subcategory: Enable for success, failure, or success and failure
           -   **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
           -   A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
-          
-          In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
-          
+
       - question: |
           How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
         answer: |
           Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
           
           1.  Set all Advanced Audit Policy subcategories to **Not configured**.
-          2.  Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
+          2.  Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller.
           3.  Reconfigure and apply the basic audit policy settings.
           
-          Unless you complete all of these steps, the basic audit policy settings will not be restored.
+          Unless you complete all of these steps, the basic audit policy settings won't be restored.
           
       - question: |
           How can I monitor if changes are made to audit policy settings?
@@ -166,27 +156,25 @@ sections:
       - question: |
           What are the best tools to model and manage audit policies?
         answer: |
-          The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
-          On an individual computer, the Auditpol command-line tool can be used to complete many important audit policy–related management tasks.
+          The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies.
+          On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks.
           
-          In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
+          There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs).
           
       - question: |
           Where can I find information about all the possible events that I might receive?
         answer: |
-          Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
+          Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources:
           
-          -   [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753)
-          -   [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
-          -   [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868)
-          -   [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+          - [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034)
+          - [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
+          - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
           
       - question: |
           Where can I find more detailed information?
         answer: |
           To learn more about security audit policies, see the following resources:
           
-          -   [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
-          -   [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
-          -   [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
-          -   [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868)
+          - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
+          - [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753)
+          - [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561)

windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md

@@ -12,6 +12,7 @@ ms.localizationpriority: high
 ms.reviewer: 
 manager: dansimp
 ms.technology: windows-sec
+adobe-target: true
 ---
 
 # Microsoft Defender SmartScreen

windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md

@@ -1,21 +1,16 @@
 ---
 title: Understanding Application Control event IDs (Windows)
 description: Learn what different Windows Defender Application Control event IDs signify.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.technology: windows-sec
 ms.localizationpriority: medium
-audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
 ms.date: 05/09/2022
-ms.technology: windows-sec
+ms.topic: reference
 ---
 
 # Understanding Application Control events
@@ -26,44 +21,44 @@ ms.technology: windows-sec
 - Windows 11
 - Windows Server 2016 and later (limited events)
 
-A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
 
-- Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
+- Events about Application Control policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
 
 - Events about the control of MSI installers, scripts, and COM objects appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
 
 > [!NOTE]
 > These event IDs are not included on Windows Server Core edition.
 
-## WDAC events found in the Microsoft Windows CodeIntegrity Operational log
+## Windows CodeIntegrity Operational log
 
 | Event ID | Explanation |
 |--------|-----------|
-| 3004 | This event isn't common and may occur with or without a WDAC policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
-| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option *20 Enabled:Revoked Expired As Unsigned* in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
-| 3034 | This event isn't common. It is the audit mode equivalent of event 3033 described above. |
-| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
-| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
-| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the "Correlation ActivityID" found in the "System" portion of the event. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy. |
+| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
+| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
+| 3034 | This event isn't common. It's the audit mode equivalent of event 3033 described above. |
+| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. |
+| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. |
+| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy. |
 
-## WDAC events found in the Microsoft Windows AppLocker MSI and Script log
+## Windows AppLocker MSI and Script log
 
 | Event ID | Explanation |
 |--------|-----------|
-| 8028 | This event indicates that a script host, such as PowerShell, queried WDAC about a file the script host was about to run. Since the WDAC policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts do not integrate with WDAC. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
+| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
 | 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes.md). |
 | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
-| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the "Correlation ActivityID" found in the "System" portion of the event. |
+| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
 
 ## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
 
-Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
+Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
 
 | Event ID | Explanation |
 |--------|---------|
 | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
-| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. |
+| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. |
 | 3092 | This event is the enforcement mode equivalent of 3091. |
 
 The above events are reported per active policy on the system, so you may see multiple events for the same file.
@@ -78,8 +73,8 @@ The following information is found in the details for 3090, 3091, and 3092 event
 | PassesManagedInstaller | Indicates whether the file originated from a MI |
 | SmartlockerEnabled | Indicates whether the specified policy enables ISG trust |
 | PassesSmartlocker | Indicates whether the file had positive reputation according to the ISG |
-| AuditEnabled | True if the WDAC policy is in audit mode, otherwise it is in enforce mode |
-| PolicyName | The name of the WDAC policy to which the event applies |
+| AuditEnabled | True if the Application Control policy is in audit mode, otherwise it is in enforce mode |
+| PolicyName | The name of the Application Control policy to which the event applies |
 
 ### Enabling ISG and MI diagnostic events
 
@@ -93,29 +88,30 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
 
 ## Event ID 3099 Options
 
-The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
+The Application Control policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
 
 - Access Event Viewer.
 - Access the Code integrity 3099 event.
 - Access the details pane.
-- Identify the hex code listed in the “Options” field.
-- Convert the hex code to binary
+- Identify the hex code listed in the "Options" field.
+- Convert the hex code to binary.
 
-:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 Policy Rule Options":::
+:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
 
-For a simple solution for converting hex to binary, follow these steps.
-- Open the Calculator app
-- Click on the menu icon :::image type="content" source="images/calculator-menu-icon.png" alt-text="calculator menu icon example":::
-- Click Programmer mode
-- Click HEX  :::image type="content" source="images/hex-icon.png" alt-text="HEX icon example":::
-- Enter your hex code
-- Click Bit Toggling Keyboard :::image type="content" source="images/bit-toggling-keyboard-icon.png" alt-text="Bit Toggling Keyboard icon example":::
+For a simple solution for converting hex to binary, follow these steps:
 
-:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary":::
+1. Open the Calculator app.
+1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false":::
+1. Select **Programmer** mode.
+1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false":::
+1. Enter your hex code. For example, `80881000`.
+1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false":::
+
+:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
 
 This view will provide the hex code in binary form, with each bit address shown separately.  The bit addresses start at 0 in the bottom right.  Each bit address correlates to a specific event policy-rule option.  If the bit address holds a value of 1, the setting is in the policy.
 
-Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the “Enabled:Audit Mode (Default)” is in the policy meaning the policy is in audit mode.
+Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
 
 | Bit Address | Policy Rule Option |
 |-------|------|
@@ -147,46 +143,46 @@ A list of other relevant event IDs and their corresponding description.
 | Event ID | Description |
 |-------|------|
 | 3001 | An unsigned driver was attempted to load on the system. |
-| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
-| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
+| 3002 | Code Integrity couldn't verify the boot image as the page hash couldn't be found. |
+| 3004 | Code Integrity couldn't verify the file as the page hash couldn't be found. |
 | 3010 | The catalog containing the signature for the file under validation is invalid. |
 | 3011 | Code Integrity finished loading the signature catalog. |
 | 3012 | Code Integrity started loading the signature catalog. |
-| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
+| 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. |
 | 3024 | Windows application control was unable to refresh the boot catalog file. |
 | 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
-| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked. 
-| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3034 | The file under validation would not meet the requirements to pass the application control policy if the WDAC policy was enforced. The file was allowed since the WDAC policy is in audit mode. |
-| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
-| 3064 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the WDAC policy is in audit mode. |
-| 3065 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. |
+| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked.
+| 3033 | The file under validation didn't meet the requirements to pass the application control policy. |
+| 3034 | The file under validation wouldn't meet the requirements to pass the Application Control policy if it was enforced. The file was allowed since the policy is in audit mode. |
+| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3064 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |
+| 3065 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. |
 | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
-| 3075 | This event measures the performance of the WDAC policy check during file validation. |
-| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
-| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
-| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3080 | If the WDAC policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
-| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3082 | If the WDAC policy was in enforced mode, the non-WHQL driver would have been denied by the WDAC policy. |
+| 3075 | This event measures the performance of the Application Control policy check during file validation. |
+| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. |
+| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. |
+| 3079 | The file under validation didn't meet the requirements to pass the application control policy. |
+| 3080 | If the Application Control policy was in enforced mode, the file under validation wouldn't have met the requirements to pass the application control policy. |
+| 3081 | The file under validation didn't meet the requirements to pass the application control policy. |
+| 3082 | If the Application Control policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
 | 3084 | Code Integrity will enforce the WHQL driver signing requirements on this boot session. |
-| 3085 | Code Integrity will not enforce the WHQL driver signing requirements on this boot session. |
-| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. |
-| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. |
+| 3085 | Code Integrity won't enforce the WHQL driver signing requirements on this boot session. |
+| 3086 | The file under validation doesn't meet the signing requirements for an isolated user mode (IUM) process. |
+| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. |
 | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
-| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. |
+| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. |
 | 3092 | This event is the enforcement mode equivalent of 3091. |
-| 3095 | The WDAC policy cannot be refreshed and must be rebooted instead. |
-| 3096 | The WDAC policy was not refreshed since it is already up-to-date. |
-| 3097 | The WDAC policy cannot be refreshed. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy.  |
+| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. |
+| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. |
+| 3097 | The Application Control policy can't be refreshed. |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the options that were specified by the Application Control policy.  |
 | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
-| 3101 | The system started refreshing the WDAC policy. |
-| 3102 | The system finished refreshing the WDAC policy. |
-| 3103 | The system is ignoring the WDAC policy refresh. |
-| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. |
-| 3105 | The system is attempting to refresh the WDAC policy. |
+| 3101 | The system started refreshing the Application Control policy. |
+| 3102 | The system finished refreshing the Application Control policy. |
+| 3103 | The system is ignoring the Application Control policy refresh. |
+| 3104 | The file under validation doesn't meet the signing requirements for a PPL (protected process light) process. |
+| 3105 | The system is attempting to refresh the Application Control policy. |
 | 3108 | Windows mode change event was successful. |
 | 3110 | Windows mode change event was unsuccessful. |
-| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |
+| 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. |
 | 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. |

windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md

@@ -1,21 +1,16 @@
 ---
 title: Windows Defender Application Control Wizard
-description: Microsoft Defender Application Control Wizard (WDAC) Wizard allows users to create, edit, and merge application control policies in a simple to use Windows application.
-keywords: allowlisting, blocklisting, security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+description: The Windows Defender Application Control policy wizard tool allows you to create, edit, and merge application control policies in a simple to use Windows application.
 ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.technology: windows-sec
 ms.localizationpriority: medium
-audience: ITPro
 ms.collection: M365-security-compliance
 author: jgeurten
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
 ms.topic: conceptual
-ms.technology: windows-sec
+ms.date: 05/24/2022
 ---
 
 # Windows Defender Application Control Wizard
@@ -29,26 +24,26 @@ ms.technology: windows-sec
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-The Windows Defender Application Control (WDAC) policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the wizard and PowerShell cmdlets is identical.
+The Windows Defender Application Control policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. It was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge Application Control policies. This tool uses the [ConfigCI PowerShell cmdlets](/powershell/module/configci) in the backend so the output policy of the tool and PowerShell cmdlets is identical.
 
 ## Downloading the application
 
-The WDAC wizard can be downloaded from the official [WDAC Wizard installer website](https://webapp-wdac-wizard.azurewebsites.net) as an MSIX packaged application. The wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
+Download the tool from the official [Windows Defender Application Control Policy Wizard website](https://webapp-wdac-wizard.azurewebsites.net/) as an MSIX packaged application. The tool's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Policy Wizard repository](https://github.com/MicrosoftDocs/WDAC-Toolkit).
 
-**Supported Clients**
+### Supported clients
 
-As the WDAC wizard uses the cmdlets in the background, the wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: 
+As the tool uses the cmdlets in the background, it's functional on clients only where the cmdlets are supported. For more information, see [Application Control feature availability](feature-availability.md). Specifically, the tool verifies that the client meets one of the following requirements:
 
--   Windows builds 1909+
--   For pre-1909 builds, the Enterprise SKU of Windows is installed
+- Windows 10, version 1909 or later
+- For pre-1909 builds, the Enterprise SKU of Windows is installed
 
-If neither requirement is satisfied, the wizard will throw an error as the cmdlets are not available.
+If neither requirement is satisfied, it throws an error as the cmdlets aren't available.
 
 ## Resources to learn more
 
-| Topic | Description |
+| Article | Description |
 | - | - |
 | [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. |
 | [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. |
-| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the wizard's editing capabilities. |
+| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the tool's editing capabilities. |
 | [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |