Merge branch 'MicrosoftDocs:main' into zwhitt-microsoft-cg-patch1

.openpublishing.redirection.education.json

@@ -229,6 +229,83 @@
       "source_path": "education/windows/windows-editions-for-education-customers.md",
       "redirect_url": "/education/windows",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/configure-windows-for-education.md",
+      "redirect_url": "/education/windows",
+      "redirect_document_id": false
+    },
+
+
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-device-apps.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-apps",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-device-settings.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-devices-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-devices-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-autopilot.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-autopilot",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-entra-join.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-entra-join",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-package.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-package",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/index.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/introduction",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/manage-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/manage-surface-devices.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-surface-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/reset-wipe.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/reset-wipe",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-intune.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/troubleshoot-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/troubleshoot-overview",
+      "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.windows-configuration.json

@@ -162,7 +162,7 @@
     },
     {
       "source_path": "windows/configuration/start-taskbar-lockscreen.md",
-      "redirect_url": "/windows/configuration/windows-10-start-layout-options-and-policies",
+      "redirect_url": "/windows/configuration/start/policy-settings",
       "redirect_document_id": false
     },
     {
@@ -287,7 +287,7 @@
     },
     {
       "source_path": "windows/configuration/customize-and-export-start-layout.md",
-      "redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
@@ -422,12 +422,12 @@
     },
     {
       "source_path": "windows/configuration/start-layout-xml-desktop.md",
-      "redirect_url": "/windows/configuration/start/start-layout-xml-desktop",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/start-secondary-tiles.md",
-      "redirect_url": "/windows/configuration/start/start-secondary-tiles",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
@@ -442,7 +442,7 @@
     },
     {
       "source_path": "windows/configuration/supported-csp-start-menu-layout-windows.md",
-      "redirect_url": "/windows/configuration/start/supported-csp-start-menu-layout-windows",
+      "redirect_url": "/windows/configuration/start/policy-settings",
       "redirect_document_id": false
     },
     {
@@ -452,7 +452,7 @@
     },
     {
       "source_path": "windows/configuration/windows-10-start-layout-options-and-policies.md",
-      "redirect_url": "/windows/configuration/start/windows-10-start-layout-options-and-policies",
+      "redirect_url": "/windows/configuration/start/policy-settings",
       "redirect_document_id": false
     },
     {
@@ -462,7 +462,12 @@
     },
     {
       "source_path": "windows/configuration/windows-spotlight.md",
-      "redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
+      "redirect_url": "/windows/configuration/windows-spotlight/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/lock-screen/windows-spotlight.md",
+      "redirect_url": "/windows/configuration/windows-spotlight",
       "redirect_document_id": false
     },
     {
@@ -822,22 +827,22 @@
     },
     {
       "source_path": "windows/configuration/start/customize-start-menu-layout-windows-11.md",
-      "redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md",
-      "redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md",
-      "redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md",
-      "redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
+      "redirect_url": "/windows/configuration/start/layout",
       "redirect_document_id": false
     },
     {
@@ -850,6 +855,11 @@
       "redirect_url": "/windows/configuration/taskbar/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/configuration/start/supported-csp-start-menu-layout-windows.md",
+      "redirect_url": "/windows/configuration/start/policy-settings",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/configuration/tips/manage-tips-and-suggestions.md",
       "redirect_url": "/windows/configuration",
@@ -864,6 +874,26 @@
       "source_path": "windows/configuration/taskbar/supported-csp-taskbar-windows.md",
       "redirect_url": "/windows/configuration/taskbar/policy-settings",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/start/start-layout-xml-desktop.md",
+      "redirect_url": "/windows/configuration/start/layout",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/start/customize-and-export-start-layout.md",
+      "redirect_url": "/windows/configuration/start/layout",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/start/windows-10-start-layout-options-and-policies.md",
+      "redirect_url": "/windows/configuration/start/policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/start/start-secondary-tiles.md",
+      "redirect_url": "/windows/configuration/start/layout",
+      "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.windows-security.json

@@ -9169,6 +9169,16 @@
       "source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
       "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-security/index.md",
+      "redirect_url": "/windows/security/cloud-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/change-home-to-edu.md

@@ -1,7 +1,7 @@
 ---
 title: Upgrade Windows Home to Windows Education on student-owned devices
 description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions.
-ms.date: 08/07/2023
+ms.date: 04/10/2024
 ms.topic: how-to
 author: scottbreenmsft
 ms.author: scbree
@@ -16,30 +16,30 @@ ms.collection:
 
 ## Overview
 
-Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning. 
+Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning.
 
 > [!NOTE]
 > To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center.
 
-IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The table below provides the recommended method depending on the scenario.
+IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The following table provides the recommended method depending on the scenario.
 
 | Method | Product key source | Device ownership | Best for |
 |-|-|-|-|
 | MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM |
-| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent or guardian |
+| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent, or guardian |
 | Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot |
 
 These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
 
 ## User Notifications
 
-Users aren't notified their device has been or will be upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM will initiate an upgrade to Windows Education and this upgrade will give the institution extra capabilities, such as installing applications.
+Users aren't notified when their device is upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM initiates an upgrade to Windows Education, and that the upgrade gives the institution extra capabilities, such as installing applications.
 
 Device users can disconnect from MDM in the Settings app, to prevent further actions from being taken on their personal device. For instructions on disconnecting from MDM, see [Remove your Windows device from management](/mem/intune/user-help/unenroll-your-device-from-intune-windows).
 
 ## Why upgrade student-owned devices from Windows Home to Windows Education?
 
-Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are:
+Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles, and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are:
 
 - [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications.
 - [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization.
@@ -48,11 +48,11 @@ A full list of CSPs are available at [Configuration service provider reference](
 
 ## Requirements for using a MAK to upgrade from Windows Home to Windows Education
 
-- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center.
+- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center
 - A qualifying Windows subscription such as:
-  - Windows A3, or;
+  - Windows A3, or
-  - Windows A5.
+  - Windows A5
-- A pre-installed and activated instance of Windows 10 Home or Windows 11 Home.
+- A preinstalled and activated instance of Windows 10 Home or Windows 11 Home
 
 You can find more information in the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
 
@@ -67,20 +67,20 @@ IT admins with access to the VLSC or the Microsoft 365 Admin Center, can find th
 
 It's critical that MAKs are protected whenever they're used. The following processes provide the best protection for a MAK being applied to a device:
 
-- Provisioning package by institution approved staff;
+- Provisioning package by institution approved staff
-- Manual entry by institution approved staff (don't distribute the key via email);
+- Manual entry by institution approved staff (don't distribute the key via email)
-- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp);
+- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
     > [!IMPORTANT]
     > If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students.
-- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager.
+- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Configuration Manager
 
 For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades).
 
-## Downgrading, resetting, reinstalling and graduation rights
+## Downgrading, resetting, reinstalling, and graduation rights
 
 After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system.
 
-The table below highlights the differences by upgrade product key type:
+The following table highlights the differences by upgrade product key type:
 
 | Product Key Type | Downgrade (in-place) | Reset | Student reinstall |
 |-|-|-|-|
@@ -93,27 +93,27 @@ It isn't possible to downgrade to *Windows Home* from *Windows Education* withou
 
 ### Reset
 
-If the computer is reset, Windows Education will be retained. 
+If the computer is reset, Windows Education is retained.
 
 ### Reinstall
 
-The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) will be used to activate Windows.
+The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) is used to activate Windows.
 
-If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key prior to graduation.
+If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key before graduation.
 
 For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886).
 
 ### Resale
 
-The license will remain installed on the device if resold and the same conditions above apply for downgrade, reset or reinstall.
+The license remains installed on the device if resold and the same conditions apply for downgrade, reset, or reinstall.
 
 ## Step by step process for customers to upgrade student-owned devices using Microsoft Intune
 
-These steps provide instructions on how to use Microsoft Intune to upgrade devices from Home to Education. 
+These steps provide instructions on how to use Microsoft Intune to upgrade devices from Home to Education.
 
 ### Step 1: Create a Windows Home edition filter
 
-These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters).
+These steps configure a filter that only applies to devices running the *Windows Home edition*, ensuring that only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters).
 
 - Start in the [**Microsoft Intune admin center**](https://go.microsoft.com/fwlink/?linkid=2109431)
 - Select **Tenant administration** > **Filters**
@@ -130,7 +130,7 @@ These steps configure a filter that will only apply to devices running the *Wind
 
     > [!NOTE]
     > Ensure you've selected OR as the operator in the right And/Or column
-    
+
     :::image type="content" source="images/change-home-to-edu-windows-home-edition-intune-filter.png" alt-text="Example of configuring the Windows Home filter":::
 
 - Optionally select scope tags as required
@@ -153,14 +153,14 @@ These steps create and assign a Windows edition upgrade policy. For more informa
   - Change **Edition to upgrade** to **Windows 10/11 Education**
   - In the **Product Key**, enter your *Windows 10/11 Education MAK*
   - Select **Next**
-  
+
     :::image type="content" source="images/change-home-to-edu-windows-edition-upgrade-policy.png" alt-text="Example of configuring the Windows upgrade policy in Microsoft Intune":::
 
 - Optionally select scope tags as required and select **Next**
-- On the **assignments** screen;
+- On the **assignments** screen:
   - Select **Add all devices**
   - Next to **All devices**, select **Edit filter**
-  
+
       > [!NOTE]
       > You can also target other security groups that contain a smaller scope of users or devices and apply the filter rather than All devices.
 
@@ -171,7 +171,7 @@ These steps create and assign a Windows edition upgrade policy. For more informa
 - Don't configure any applicability rules and select **next**
 - Review your settings and select **Create**
 
-The edition upgrade policy will now apply to all existing and new Windows Home edition devices targeted.
+The edition upgrade policy applies to all existing and new Windows Home edition devices targeted.
 
 ### Step 3: Report on device edition
 
@@ -191,11 +191,11 @@ You can check the Windows versions of managed devices in the Microsoft Intune ad
 
 Increases to MAK Activation quantity can be requested by contacting [VLSC support](/licensing/contact-us) and may be granted by exception. A request can be made by accounts with the VLSC Administrator, Key Administrator, or Key Viewer permissions. The request should include the following information:
 
-- Agreement/Enrollment Number or License ID and Authorization.
+- Agreement/Enrollment Number or License ID and Authorization
-- Product Name (includes version and edition).
+- Product Name (includes version and edition)
-- Last five characters of the product key.
+- Last five characters of the product key
-- The number of host activations required.
+- The number of host activations required
-- Business Justification or Reason for Deployment.
+- Business Justification or Reason for Deployment
 
 ### What is a firmware-embedded activation key?
 
@@ -205,7 +205,7 @@ A firmware-embedded activation key is a Windows product key that is installed in
 (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
 ```
 
-If the device has a firmware-embedded activation key, it will be displayed in the output. Otherwise, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
+If the device has a firmware-embedded activation key, it's displayed in the output. Otherwise the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later have a firmware-embedded key.
 
 A firmware embedded key is only required to upgrade using Subscription Activation, a MAK upgrade doesn't require the firmware embedded key.
 
@@ -215,14 +215,6 @@ A multiple activation key activates either individual computers or a group of co
 
 | Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation |
 |-|-|:-:|:-:|:-:|:-:|
-| **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | |
+| **Workplace join (add work or school account)** | Personal (or student-owned) | ✅ | | | |
-| **Microsoft Entra join** | Organization | X | X | | X |
+| **Microsoft Entra join** | Organization | ✅ | ✅ | | ✅ |
-| **Microsoft Entra hybrid join** | Organization | X | X | X | X |
+| **Microsoft Entra hybrid join** | Organization | ✅ | ✅ | ✅ | ✅ |
-
-## Related links
-
-- [Windows 10 edition upgrade (Windows 10)](/windows/deployment/upgrade/windows-10-edition-upgrades)
-- [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation)
-- [Equip Your Students with Windows 11 Education - Kivuto](https://kivuto.com/windows-11-student-use-benefit/)
-- [Upgrade Windows Home to Windows Pro (microsoft.com)](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818)
-- [Partner Center: Upgrade Education customers from Windows 10 Home to Windows 10 Education](/partner-center/upgrade-windows-to-education)

education/windows/configure-aad-google-trust.md

@@ -1,15 +1,15 @@
 ---
 title: Configure federation between Google Workspace and Microsoft Entra ID
 description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
-ms.date: 09/11/2023
+ms.date: 04/10/2024
 ms.topic: how-to
 appliesto:
 ---
 
 # Configure federation between Google Workspace and Microsoft Entra ID
 
-This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.\
+This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Microsoft Entra ID.\
-Once configured, users will be able to sign in to Microsoft Entra ID with their Google Workspace credentials.
+Once configured, users can sign in to Microsoft Entra ID with their Google Workspace credentials.
 
 ## Prerequisites
 
@@ -27,11 +27,11 @@ To test federation, the following prerequisites must be met:
     > [!IMPORTANT]
     > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID.
     > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-microsoft-entra-id).
-1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
+1. Individual Microsoft Entra accounts already created: each Google Workspace user requires a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
     - School Data Sync (SDS)
     - Microsoft Entra Connect Sync for environment with on-premises AD DS
     - PowerShell scripts that call the Microsoft Graph API
-    - Provisioning tools offered by the IdP - this capability is offered by Google Workspace through [auto-provisioning](https://support.google.com/a/answer/7365072)
+    - Provisioning tools offered by the IdP - Google Workspace offers [autoprovisioning](https://support.google.com/a/answer/7365072)
 
 <a name='configure-google-workspace-as-an-idp-for-azure-ad'></a>
 
@@ -42,12 +42,12 @@ To test federation, the following prerequisites must be met:
 1. Select **Add app > Search for apps** and search for *microsoft*
 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
    :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
-1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Microsoft Entra ID later
+1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
 1. On the **Service provider detail's** page
       - Select the option **Signed response**
       - Verify that the Name ID format is set to **PERSISTENT**
-      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you may need to adjust the **Name ID** mapping.\
+      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
-        If using Google auto-provisioning, select **Basic Information > Primary email**
+        If using Google autoprovisioning, select **Basic Information > Primary email**
       - Select **Continue**
 1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
 
@@ -136,7 +136,7 @@ AdditionalProperties                  : {}
 From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:
 
 1. As username, use the email as defined in Google Workspace
-1. The user will be redirected to Google Workspace to sign in
+1. The user is redirected to Google Workspace to sign in
-1. After Google Workspace authentication, the user will be redirected back to Microsoft Entra ID and signed in
+1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
 
 :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::

education/windows/configure-windows-for-education.md

@@ -1,159 +0,0 @@
----
-title: Windows 10 configuration recommendations for education customers
-description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
-ms.topic: how-to
-ms.date: 08/10/2022
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
----
-# Windows 10 configuration recommendations for education customers
-
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
-
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
-
-In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
-
-| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
-| --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
-| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
-| **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
-| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
-| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
-| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready </br></br> * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
-
-
-## Recommended configuration
-It's easy to be education ready when using Microsoft products. We recommend the following configuration:
-
-1. Use an Office 365 Education tenant. 
-
-    With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
-
-2. Activate Intune for Education in your tenant.
-
-    You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
-
-3. On PCs running Windows 10, version 1703:
-   1. Provision the PC using one of these methods:
-      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
-      * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
-   2. Join the PC to Microsoft Entra ID.
-      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
-      * Manually Microsoft Entra join the PC during the Windows device setup experience.
-   3. Enroll the PCs in MDM.
-      * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
-   4. Ensure that needed assistive technology apps can be used.
-      * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
-
-4. Distribute the PCs to students.
-
-    Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
-
-5. Ongoing management through Intune for Education.
-
-    You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
-
-## Configuring Windows
-You can configure Windows through provisioning or management tools including industry standard MDM.
-- Provisioning - A one-time setup process.
-- Management - A one-time and/or ongoing management of a PC by setting policies.
-
-You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
-- [Set up School PCs](use-set-up-school-pcs-app.md)
-- [Intune for Education](/intune-education/available-settings)
-
-## AllowCortana
-**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). 
-
-> [!NOTE]
-> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
-
-Use one of these methods to set this policy.
-
-### MDM
-- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
-- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
-  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
-
-      For example, in Intune, create a new configuration policy and add an OMA-URI. 
-    - OMA-URI:  ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
-    - Data type:  Integer
-    - Value:  0
-
-### Group Policy
-Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
-
-### Provisioning tools
-- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
-    - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
-
-## SetEduPolicies
-**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
-
-Use one of these methods to set this policy. 
-
-### MDM
-- Intune for Education automatically sets this policy in the **All devices** group policy configuration.
-- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
-  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
-
-      For example, in Intune, create a new configuration policy and add an OMA-URI.
-    - OMA-URI:  ./Vendor/MSFT/SharedPC/SetEduPolicies
-    - Data type:  Boolean
-    - Value:  true
-
-      ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
-
-### Group Policy
-**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
-
-For example:
-
-- Open PowerShell as an administrator and enter the following:
-
-    ```
-    $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
-
-    $sharedPC.SetEduPolicies = $True
-
-    Set-CimInstance -CimInstance $sharedPC
-
-    Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
-    ```
-
-### Provisioning tools
-- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
-    - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
-
-        ![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png)
-
-## Ad-free search with Bing
-Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. 
-
-### Configurations
-
-<a name='azure-ad-and-office-365-education-tenant'></a>
-
-#### Microsoft Entra ID and Office 365 Education tenant
-To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
-
-1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
-2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
-3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
-> [!NOTE]
-> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
-
-#### Office 365 sign-in to Bing
-To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
-
-1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
-2. Have students sign into Bing with their Office 365 account.
-
-
-## Related topics
-[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)

education/windows/edu-stickers.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Stickers for Windows 11 SE
 description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
-ms.date: 11/09/2023
+ms.date: 04/10/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
@@ -25,7 +25,7 @@ With Stickers, students feel more attached to the device as they feel as if it's
 
 ## Enable Stickers
 
-Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+Stickers aren't enabled by default. The following instructions describe how to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
@@ -62,14 +62,14 @@ Content-Type: application/json
 
 ## How to use Stickers
 
-Once the Stickers feature is enabled, the sticker editor can be opened by either:
+Once the Stickers feature is enabled, open sticker editor by either:
 
 - using the contextual menu on the desktop and selecting the option **Add or edit stickers**
 - opening the Settings app > **Personalization** > **Background** > **Add stickers**
 
 :::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::
 
-Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch.
+Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned, or deleted from the desktop by using the mouse, keyboard, or touch.
 
 :::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
 

education/windows/edu-themes.md

@@ -1,7 +1,7 @@
 ---
 title: Configure education themes for Windows 11
 description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
-ms.date: 09/11/2023
+ms.date: 04/10/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

education/windows/federated-sign-in.md

@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Learn how federated sign-in in Windows works and how to configure it.
-ms.date: 09/11/2023
+ms.date: 04/10/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

education/windows/get-minecraft-for-education.md

@@ -2,7 +2,7 @@
 title: Get and deploy Minecraft Education
 description: Learn how to obtain and distribute Minecraft Education to Windows devices.
 ms.topic: how-to
-ms.date: 09/11/2023
+ms.date: 04/10/2024
 ms.collection:
   - education
   - tier2
@@ -16,15 +16,15 @@ Minecraft Education is a game-based platform that inspires creative and inclusiv
 
 **Prepare students for the future**: learners develop key skills like problem solving, collaboration, digital citizenship, and critical thinking to help them thrive now and in the future workplace. Spark a passion for STEM.
 
-**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges.  
+**Game based learning**: unlock creativity and deep learning with immersive content created with partners including BBC Earth, NASA, and the Nobel Peace Center. Inspire students to engage in real-world topics, with culturally relevant lessons and build challenges. 
 
 ## Minecraft Education key features
 
-- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments  
+- Multiplayer mode enables collaboration in-game across platforms, devices, and hybrid environments 
-- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution  
+- Code Builder supports block-based coding, JavaScript, and Python with intuitive interface and in-game execution 
-- Immersive Reader helps players read and translate text  
+- Immersive Reader helps players read and translate text 
-- Camera and Book & Quill items allow documentation and export of in-game creations  
+- Camera and Book & Quill items allow documentation and export of in-game creations 
-- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls  
+- Integration with Microsoft Teams and Flipgrid supports assessment and teacher controls 
 
 ## Try or purchase Minecraft Education
 
@@ -34,7 +34,7 @@ Organizations can [purchase subscriptions][EDU-2] directly in the *Microsoft 3
 
 When you sign up for a Minecraft Education trial, or purchase a subscription, Minecraft Education licenses are linked to your Microsoft Entra tenant. If you don't have a Microsoft Entra tenant:
 
-- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes a Microsoft Entra tenant  
+- Microsoft-verified academic organizations can set up a free [Office 365 Education subscription][EDU-3], which includes a Microsoft Entra tenant
 - Non-Microsoft-verified academic organizations can set up a free Microsoft Entra tenant when they [purchase Minecraft Education commercial licenses][EDU-4]
 
 ### Direct purchase
@@ -78,7 +78,7 @@ To pay with an invoice:
 1. During the purchase, select **Add a new payment method.**
 2. Select the **Invoice** option, and provide the information needed for an invoice. The **PO number** item allows you to add a tracking number or info that is meaningful to your organization.
 
-For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1].  
+For more information about invoices and how to pay by invoice, see [Payment options for your Microsoft subscription][M365-1].
 
 ## Assign Minecraft Education licenses
 

education/windows/index.yml

@@ -63,10 +63,8 @@ productDirectory:
     - title: Learn how to manage Windows devices
       imageSrc: /media/common/i_management.svg
       links:
-        - url: tutorial-school-deployment/manage-overview.md
+        - url: /mem/intune/industry/education/tutorial-school-deployment/manage-overview
           text: Manage devices with Microsoft Intune
-        - url: tutorial-school-deployment/manage-surface-devices.md
-          text: Management functionalities for Surface devices
         - url: /education/windows/get-minecraft-for-education
           text: Get and deploy Minecraft Education
         - url: /windows/client-management

education/windows/set-up-school-pcs-provisioning-package.md

@@ -1,7 +1,7 @@
 ---
 title: What's in Set up School PCs provisioning package
 description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
-ms.date: 06/02/2023
+ms.date: 04/10/2024
 ms.topic: reference
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@@ -34,15 +34,15 @@ For a more detailed look at the policies, see the Windows article [Set up shared
 | Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. |
 | Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When devices are optimized for shared use, the policy sets 25% of total disk space as the disk space threshold for account caching. When devices are optimized for use by a single student, the policy sets the value to 0% and doesn't delete accounts. |
 | Enable account manager | True | Enables automatic account management. |
-| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. |
+| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After the threshold, if an account hasn't signed in, its user profile is deleted. |
 | Kiosk Mode AMUID | `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App` | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. |
 | Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. |
 | Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. |
 | Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. |
-| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. |
+| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1,024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. |
 | Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. |
 | Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. |
-| Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. |
+| Sleep timeout | 3,600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3,600 seconds (1 hour), is applied. |
 
 ## MDM and local group policies
 
@@ -58,7 +58,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 | Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. |
 | Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates |
 | Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. |
-| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. |
+| Allow auto update | 4 - Autoinstalls and restarts without device-user control | When an auto update is available, it autoinstalls and restarts the device without any input or action from the device user. |
 | Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. |
 | Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. |
 | Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. |
@@ -70,7 +70,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 | Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. |
 | Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app |
 | Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. |
-| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. |
+| Import Microsoft Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. |
 | Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. |
 | Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. |
 | Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. |
@@ -112,7 +112,7 @@ The time it takes to install a package on a device depends on the:
 - Number of policies and apps within the package
 - Other configurations made to the device
 
-Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision.
+Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations provisions the fastest. A package that removes preinstalled apps, through CleanPC, will take longer to provision.
 
 | Configurations | Connection type | Estimated provisioning time |
 |--|--|--|

education/windows/toc.yml

@@ -4,8 +4,6 @@ items:
 - name: Tutorials
   expanded: true
   items:
-  - name: Deploy and manage Windows devices in a school
-    href: tutorial-school-deployment/toc.yml
   - name: Deploy applications to Windows 11 SE
     href: tutorial-deploy-apps-winse/toc.yml
 - name: Concepts

education/windows/tutorial-deploy-apps-winse/considerations.md

@@ -1,7 +1,7 @@
 ---
 title: Important considerations before deploying apps with managed installer
 description: Learn about important aspects to consider before deploying apps with managed installer.
-ms.date: 06/19/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

education/windows/tutorial-deploy-apps-winse/create-policies.md

@@ -1,7 +1,7 @@
 ---
 title: Create policies to enable applications
 description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
-ms.date: 06/19/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

education/windows/tutorial-deploy-apps-winse/deploy-apps.md

@@ -1,7 +1,7 @@
 ---
 title: Applications deployment considerations
 description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
-ms.date: 05/23/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

education/windows/tutorial-deploy-apps-winse/deploy-policies.md

@@ -1,7 +1,7 @@
 ---
 title: Deploy policies to enable applications
 description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
-ms.date: 05/23/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

education/windows/tutorial-deploy-apps-winse/index.md

@@ -1,7 +1,7 @@
 ---
 title: Deploy applications to Windows 11 SE with Intune
 description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
-ms.date: 06/07/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

education/windows/tutorial-deploy-apps-winse/troubleshoot.md

@@ -1,7 +1,7 @@
 ---
 title: Troubleshoot app deployment issues in Windows SE
 description: Troubleshoot common issues when deploying apps to Windows SE devices.
-ms.date: 06/19/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@@ -45,10 +45,10 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
     ```
     citool.exe -lp
     ```
-    
+
     - For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true**
     - For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true**
-    
+
     :::image type="content" source="images/troubleshoot-citool.png" alt-text="Screenshot of the output of citool.exe with the Win-EDU supplemental policy.":::
 
 1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1]

education/windows/tutorial-deploy-apps-winse/validate-apps.md

@@ -1,7 +1,7 @@
 ---
 title: Validate the applications deployed to Windows SE devices
 description: Learn how to validate the applications deployed to Windows SE devices via Intune.
-ms.date: 06/19/2023
+ms.date: 04/10/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@@ -65,11 +65,11 @@ To check the installation status of an app from the Intune portal:
 1. Select **App > All apps**
 1. Select the application you want to check
 1. From the **Overview** page, you can verify the overall installation status
-    
+
     :::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png":::
 
 1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure
-    
+
     :::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png":::
 
 > [!NOTE]

education/windows/tutorial-school-deployment/configure-device-apps.md

@@ -1,77 +0,0 @@
----
-title: Configure applications with Microsoft Intune
-description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
-ms.date: 01/16/2024
-ms.topic: tutorial
----
-
-# Configure applications with Microsoft Intune
-
-With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
-
-Applications can be assigned to groups:
-
-- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
-- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Add apps to Intune for Education
-> - Assign apps to groups
-> - Review some considerations for Windows 11 SE devices
-
-## Add apps to Intune for Education
-
-Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
-
-:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
-
-### Desktop apps
-
-The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
-
-### Web apps
-
-To create web applications in Intune for Education:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Apps**
-1. Select **New app** > **New web app**
-1. Provide a URL for the web app, a name and, optionally, an icon and description
-1. Select **Save**
-
-For more information, see [Add web apps][INT-2].
-
-## Assign apps to groups
-
-To assign applications to a group of users or devices:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Pick a group to manage
-1. Select **Apps**
-1. Select either **Web apps** or **Windows apps**
-1. Select the apps you want to assign to the group > Save
-
-## Considerations for Windows 11 SE
-
-Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC).
-WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.
-
-To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1].
-
-## Next steps
-
-With the applications configured, you can now deploy students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Deploy devices >](enroll-overview.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: ../tutorial-deploy-apps-winse/index.md
-
-[MEM-1]: /mem/intune/apps/apps-win32-add
-
-[INT-1]: /intune-education/express-configuration-intune-edu
-[INT-2]: /intune-education/add-web-apps-edu

education/windows/tutorial-school-deployment/configure-device-settings.md

@@ -1,133 +0,0 @@
----
-title: Configure and secure devices with Microsoft Intune
-description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
-ms.date: 01/16/2024
-ms.topic: tutorial
-ms.collection: essentials-manage
----
-
-# Configure and secure devices with Microsoft Intune
-
-With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
-For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
-
-Settings can be assigned to groups:
-
-- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
-- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
-
-There are two ways to manage settings in Intune for Education:
-
-- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
-- **Group settings.** This option is used to configure all settings that are offered by Intune for Education
-
-> [!NOTE]
-> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
-
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Configure settings with Express Configuration
-> - Configure group settings
-> - Create Windows Update policies
-> - Configure security policies
-
-## Configure settings with Express Configuration
-
-With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
-
-> [!TIP]
-> To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
-
-## Configure group settings
-
-Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the different categories and review information about individual settings
-
-Settings that are commonly configured for student devices include:
-
-- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
-- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
-- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9]
-
-For more information, see [Windows device settings in Intune for Education][INT-3].
-
-## Create Windows Update policies
-
-It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
-
-To create a Windows Update policy:
-
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the category **Update and upgrade**
-1. Configure the required settings as needed
-
-For more information, see [Updates and upgrade][INT-6].
-
-> [!NOTE]
-> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
-> - [<u>What is Windows Update for Business?</u>][WIN-1]
-> - [<u>Manage Windows software updates in Intune</u>][MEM-1]
-
-## Configure security policies
-
-It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
-Intune for Education provides different settings to secure devices.
-
-To create a security policy:
-
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the category **Security**
-1. Configure the required settings as needed, including
-    - Windows Defender
-    - Windows Encryption
-    - Windows SmartScreen
-
-For more information, see [Security][INT-4].
-
-> [!NOTE]
-> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
-> - [<u>Antivirus</u>][MEM-2]
-> - [<u>Disk encryption</u>][MEM-3]
-> - [<u>Firewall</u>][MEM-4]
-> - [<u>Endpoint detection and response</u>][MEM-5]
-> - [<u>Attack surface reduction</u>][MEM-6]
-> - [<u>Account protection</u>][MEM-7]
-
----
-
-## Next steps
-
-With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Configure applications >](configure-device-apps.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /education/windows/windows-11-se-overview
-
-[INT-2]: /intune-education/express-configuration-intune-edu
-[INT-3]: /intune-education/all-edu-settings-windows
-[INT-4]: /intune-education/all-edu-settings-windows#security
-[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
-[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
-[INT-8]: /intune-education/add-wi-fi-profile
-[INT-9]: /intune-education/take-a-test-profiles
-
-[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
-
-[MEM-1]: /mem/intune/protect/windows-update-for-business-configure
-[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
-[MEM-3]: /mem/intune/protect/encrypt-devices
-[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
-[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
-[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
-[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy

education/windows/tutorial-school-deployment/configure-devices-overview.md

@@ -1,61 +0,0 @@
----
-title: Configure devices with Microsoft Intune
-description: Learn how to configure policies and applications in preparation for device deployment.
-ms.date: 11/09/2023
-ms.topic: tutorial
-ms.collection: essentials-manage
----
-
-# Configure settings and applications with Microsoft Intune
-
-Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
-Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
-With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
-
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Create groups
-> - Create and assign policies to groups
-> - Create and assign applications to groups
-
-## Create groups
-
-By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
-
-By default, Intune for Education creates two default groups: *All devices* and *All users*.
-Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
-
-:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
-
-Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
-
-Two group types can be created:
-
-- **Assigned groups** are used when you want to manually add users or devices to a group
-- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
-
-> [!TIP]
-> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
-
-For more information, see:
-
-- [Create groups in Intune for Education][EDU-1]
-- [Manually add or remove users and devices to an existing assigned group][EDU-2]
-- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
-
-________________________________________________________
-
-## Next steps
-
-With the groups created, you can configure policies and applications to deploy to your groups.
-
-> [!div class="nextstepaction"]
-> [Next: Configure policies >](configure-device-settings.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /intune-education/create-groups
-[EDU-2]: /intune-education/edit-groups-intune-for-edu
-[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules

education/windows/tutorial-school-deployment/enroll-autopilot.md

@@ -1,148 +0,0 @@
----
-title: Enrollment in Intune with Windows Autopilot
-description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
-ms.date: 01/16/2024
-ms.topic: tutorial
----
-
-# Windows Autopilot
-
-Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
-
-Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
-
-From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
-
-## Prerequisites
-
-Before setting up Windows Autopilot, consider these prerequisites:
-
-- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
-- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
-- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
-
-> [!NOTE]
-> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
-
-## Register devices to Windows Autopilot
-
-Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
-
-- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
-    > [!NOTE]
-    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
-- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
-    > [!TIP]
-    > Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
-- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
-    > [!IMPORTANT]
-    > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
-
-## Create groups for Autopilot devices
-
-**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
-For this task, it's recommended to create dynamic device groups using Autopilot attributes.
-
-Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > **Create group**
-1. Specify a **Group name** and select **Dynamic**
-1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
-1. Select **Create group**
-    :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
-
-More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
-
-> [!TIP]
-> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
-
-## Create Autopilot deployment profiles
-
-For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
-A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
-
-1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
-1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode
-
-To create an Autopilot deployment profile:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Select a group from the list
-1. Select **Windows device settings**
-1. Expand the **Enrolment** category
-1. From **Configure Autopilot deployment profile for device** select **User-driven**
-1. Ensure that **User account type** is configured as **Standard**
-1. Select **Save**
-
-While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
-
-### Configure an Enrollment Status Page
-
-An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
-
-:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false":::
-
-> [!NOTE]
-> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
-
-To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
-
-> [!TIP]
-> While testing the deployment process, you can configure the ESP to:
-> - allow the reset of the devices in case the installation fails
-> - allow the use of the  device if installation error occurs
->
-> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
-
-For more information, see [Set up the Enrollment Status Page][MEM-3].
-
-> [!CAUTION]
-> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3].
-
-### Autopilot end-user experience
-
-Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
-When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
-
-1. Identify the language and region
-1. Select the keyboard layout and decide on the option for a second keyboard layout
-1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
-1. Apply updates: the device will look for and apply required updates
-1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
-1. The user authenticates to Microsoft Entra ID, using the school account
-1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured
-
-> [!NOTE]
-> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
-
-:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-
-________________________________________________________
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/intune-endpoints
-[MEM-2]: /mem/autopilot/oem-registration
-[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
-[MEM-4]: /mem/autopilot/profiles
-[MEM-5]: /mem/autopilot/partner-registration
-[MEM-6]: /mem/autopilot/add-devices
-
-[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
-
-[MSFT-1]: https://partner.microsoft.com/
-
-[INT-1]: /intune/network-bandwidth-use
-
-[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
-
-[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
-
-[SURF-1]: /surface/surface-autopilot-registration-support

education/windows/tutorial-school-deployment/enroll-entra-join.md

@@ -1,32 +0,0 @@
----
-title: Enrollment in Intune with standard out-of-box experience (OOBE)
-description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Automatic Intune enrollment via Microsoft Entra join
-
-If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
-With this process, no advance preparation is needed:
-
-1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
-1. Wait for updates. If any updates are available, they'll be installed at this time
-  :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
-1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account
-  :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
-1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device
-
-> [!IMPORTANT]
-> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
-
-:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-
----
-
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)

education/windows/tutorial-school-deployment/enroll-overview.md

@@ -1,31 +0,0 @@
----
-title: Device enrollment overview
-description: Learn about the different options to enroll Windows devices in Microsoft Intune
-ms.date: 11/09/2023
-ms.topic: overview
----
-
-# Device enrollment overview
-
-There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune:
-
-- **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
-- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
-- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
-
-## Choose the enrollment method
-
-**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
-This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
-
-:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
-
-Select one of the following options to learn the next steps about the enrollment method you chose:
-> [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
-> - [Bulk enrollment with provisioning packages](enroll-package.md)
-> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
-
-<!-- Reference links in article -->
-
-[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot

education/windows/tutorial-school-deployment/enroll-package.md

@@ -1,65 +0,0 @@
----
-title: Enrollment of Windows devices with provisioning packages
-description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Enrollment with provisioning packages
-
-Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
-
-- There are no particular hardware dependencies on the devices to complete the enrollment process
-- Devices don't need to be registered in advance
-- Enrollment is a simple task: just open a provisioning package and the process is automated
-
-You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
-
-## Set up School PCs
-
-With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process.
-
-### Create a provisioning package
-
-The Set Up School PCs app guides you through configuration choices for school-owned devices.
-
-:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
-
-> [!CAUTION]
-> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
-
-Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
-
-For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
-
-> [!TIP]
-> To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
-## Windows Configuration Designer
-
-Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
-
-:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
-
-For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
-
-## Enroll devices with the provisioning package
-
-To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune.
-All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
-
-:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
-
----
-
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /education/windows/use-set-up-school-pcs-app
-
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd

education/windows/tutorial-school-deployment/index.md

@@ -1,81 +0,0 @@
----
-title: Introduction to the tutorial deploy and manage Windows devices in a school
-description: Introduction to deployment and management of Windows devices in education environments.
-ms.date: 11/09/2023
-ms.topic: tutorial
-ms.collection: essentials-get-started
----
-
-# Tutorial: deploy and manage Windows devices in a school
-
-This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
-
-## Audience and user requirements
-
-This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:  
-
-- School leaders
-- IT administrators
-- Teachers
-- Microsoft partners
-
-This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
-
-> [!NOTE]
-> Depending on your school setup scenario, you may not need to implement all steps.
-
-## Device lifecycle management
-
-Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
-
-Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
-Microsoft Intune services include:
-
-- [Microsoft Intune][MEM-1]
-- [Microsoft Intune for Education][INT-1]
-- [Configuration Manager][MEM-2]
-- [Desktop Analytics][MEM-3]
-- [Windows Autopilot][MEM-4]
-- [Surface Management Portal][MEM-5]
-
-These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
-
-## Why Intune for Education?
-
-Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
-From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
-
-:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
-
-- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
-- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
-- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
-- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
-
-## Four pillars of modern device management
-
-In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
-
-- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication
-- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
-- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
-- **Device reset:** Resetting managed devices with Intune for Education
-
----
-
-## Next steps
-
-Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
-
-> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/what-is-intune
-[MEM-2]: /mem/configmgr/core/understand/introduction
-[MEM-3]: /mem/configmgr/desktop-analytics/overview
-[MEM-4]: /mem/autopilot/windows-autopilot
-[MEM-5]: /mem/autopilot/dfci-management
-
-[INT-1]: /intune-education/what-is-intune-for-education

education/windows/tutorial-school-deployment/manage-overview.md

@@ -1,59 +0,0 @@
----
-title: Manage devices with Microsoft Intune
-description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Manage devices with Microsoft Intune
-
-Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
-
-:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
-
-## Remote device management
-
-With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
-
-### Remote actions
-
-Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
-
-:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
-
-With bulk actions, remote actions can be performed on multiple devices at once.
-
-To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
-
-## Remote assistance
-
-With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
-
-For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
-
-## Device inventory and reporting
-
-With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
-
-Here are the steps for generating reports in Intune for Education:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Reports**
-1. Select between one of the report types:
-    - Device inventory
-    - Device actions
-    - Application inventory
-    - Settings errors
-    - Windows Defender
-    - Autopilot deployment
-1. If needed, use the search box to find specific devices, applications, and settings
-1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
-    :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
-
-To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
-
-<!-- Reference links in article -->
-
-[EDU-1]: /intune-education/edu-device-remote-actions
-[EDU-2]: /intune-education/remote-assist-mobile-devices
-[EDU-3]: /intune-education/what-are-reports

education/windows/tutorial-school-deployment/manage-surface-devices.md

@@ -1,44 +0,0 @@
----
-title: Management functionalities for Surface devices
-description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
-ms.date: 11/09/2023
-ms.topic: tutorial
-appliesto: 
-  - ✅ <b>Surface devices</b>
----
-
-# Management functionalities for Surface devices
-
-Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
-
-## Manage device firmware for Surface devices
-
-Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
-
-DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
-
-:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
-
-## Microsoft Surface Management Portal
-
-Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
-
-When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
-
-To access and use the Surface Management Portal:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Select **All services** > **Surface Management Portal**
-    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-1. To obtain insights for all your Surface devices, select **Monitor**
-    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-1. To obtain details on each insights category, select **View report**
-    - This dashboard displays diagnostic information that you can customize and export
-1. To obtain the device's warranty information, select **Device warranty and coverage**
-1. To review a list of support requests and their status, select **Support requests**
-
-<!-- Reference links in article -->
-
-[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
-[MEM-1]: /mem/autopilot/dfci-management
-[SURF-1]: /surface/surface-manage-dfci-guide

education/windows/tutorial-school-deployment/reset-wipe.md

@@ -1,111 +0,0 @@
----
-title: Reset and wipe Windows devices
-description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Device reset options
-
-There are different scenarios that require a device to be reset, for example:
-
-- The device isn't responding to commands
-- The device is lost or stolen
-- It's the end of the life of the device
-- It's the end of the school year and you want to prepare the device for a new school year
-- The device has hardware problems and you want to send it to the service center
-
-:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
-
-Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
-
-- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
-- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
-
-## Factory reset (wipe)
-
-A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
-
-Once the wipe is completed, the device will be in out-of-box experience.
-
-Here are the steps to perform a factory reset from Intune for Education: 
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Devices**
-1. Select the device you want to reset > **Factory reset**
-1. Select **Factory reset** to confirm the action
-
-:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
-
-Consider using factory reset in the following example scenarios:
-
-- The device isn't working properly, and you want to reset it without reimaging it
-- It's the end of school year and you want to prepare the device for a new school year
-- You need to reassign the device to a different student, and you want to reset the device to its original settings
-- You're returning a device to the service center, and you want to remove all data and settings from the device
-
-> [!TIP]
-> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
-
-## Autopilot Reset
-
-Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
-
-Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
-
-Here are the steps to perform an Autopilot reset from Intune for Education: 
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Devices**
-1. Select the device you want to reset > **Autopilot reset**
-1. Select **Autopilot reset** to confirm the action
-
-:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
-
-Consider using Autopilot reset in the following example scenarios:
-
-- The device isn't working properly, and you want to reset it without reimaging it
-- It's the end of school year and you want to prepare the device for a new school year
-- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
-
-> [!TIP]
-> Consider that the end user will **not** go through OOBE, and the association of the user to  the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
-
-## Wiping and deleting a device
-
-There are scenarios that require a device to be deleted from your tenant, for example:
-
-- The device is lost or stolen
-- It's the end of the life of the device
-- The device has been replaced with a new device or has its motherboard replaced
-
-> [!IMPORTANT]
-> The following actions should only be performed for devices that are no longer going to be used in your tenant.
-
- To completely remove a device, you need to perform the following actions:
-
-1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
-1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
-1. Delete the device from Microsoft Entra ID using [these steps][MEM-3]
-
-## Autopilot considerations for a motherboard replacement scenario
-
-Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
-
-1. Deregister the device from Autopilot
-1. Replace the motherboard
-1. Capture a new device ID (4K HH)
-1. Re-register the device with Autopilot
-    > [!IMPORTANT]
-    > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
-1. Reset the device
-1. Return the device
-
-For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
-[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
-[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
-[MEM-4]: /mem/autopilot/autopilot-mbr

education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md

@@ -1,173 +0,0 @@
----
-title: Set up Microsoft Entra ID
-description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
-ms.date: 01/16/2024
-ms.topic: tutorial
-appliesto:
----
-
-# Set up Microsoft Entra ID
-
-The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
-
-Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Set up a Microsoft 365 Education tenant
-> - Add users, create groups, and assign licenses
-> - Configure school branding
-> - Enable bulk enrollment
-
-## Create a Microsoft 365 tenant
-
-If you don't already have a Microsoft 365 tenant, you'll need to create one.
-
-For more information, see [Create your Office 365 tenant account][M365-1]
-
-> [!TIP]
-> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/set-up-Microsoft-365" target="_blank"><u>this interactive demo</u></a>.
-### Explore the Microsoft 365 admin center
-
-The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
-
-From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others:
-
-:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
-
-For more information, see [Overview of the Microsoft 365 admin center][M365-2].
-
-> [!NOTE]
-> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
-
-## Add users, create groups, and assign licenses
-
-With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
-
-> [!NOTE]
-> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below.
-
-### School Data Sync
-
-School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
-
-For more information, see [Overview of School Data Sync][SDS-1].
-
-> [!TIP]
-> To learn more and practice with School Data Sync, follow the <a href="https://interactiveguides-schooldatasync.azurewebsites.net/" target="_blank"><u>Microsoft School Data Sync demo</u></a>, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
-
-> [!NOTE]
-> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [<u>O365-EDU-Tools GitHub site</u>](https://github.com/OfficeDev/O365-EDU-Tools).
->
-> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
-
-### Microsoft Entra Connect Sync
-
-To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
-
-- [Password hash synchronization][AAD-1]
-- [Pass-through authentication][AAD-2]
-- [Federated authentication][AAD-3]
-
-For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
-
-### Create users manually
-
-In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
-
-There are two options for adding users manually, either individually or in bulk:
-
-1. To add students and teachers as users in Microsoft 365 Education *individually*:
-    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user**
-    For more information, see [Add users and assign licenses at the same time][M365-3].
-1. To add *multiple* users to Microsoft 365 Education:
-    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
-
-For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
-
-### Create groups
-
-Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group**
-1. On the **New group** page, select **Group type** > **Security**
-1. Provide a group name and add members, as needed
-1. Select **Next**
-
-For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
-
-### Assign licenses
-
-The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
-
-To assign a license to a group:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses**
-1. Select the required products that you want to assign licenses for > **Assign**
-1. Add the groups to which the licenses should be assigned
-
-   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
-
-For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4].
-
-## Configure school branding
-
-Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
-
-To configure your school's branding:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding**
-1. You can specify brand settings like background image, logo, username hint and a sign-in page text
-    :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
-1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties**
-1. In the **Name** field, enter the school district or organization's name > **Save**
-    :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
-
-For more information, see [Add branding to your directory][AAD-5].
-
-## Enable bulk enrollment
-
-If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant.
-
-To allow provisioning packages to complete the Microsoft Entra join process:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Devices** > **Device Settings**
-1. Under **Users may join devices to Microsoft Entra ID**, select **All**
-    > [!NOTE]
-    > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
-1. Select Save
-    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
-
----
-
-## Next steps
-
-With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
-
-> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
-
-<!-- Reference links in article -->
-
-[AAD-1]: /azure/active-directory/hybrid/whatis-phs
-[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
-[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
-[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
-[AAD-5]: /azure/active-directory/fundamentals/customize-branding
-
-[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
-[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
-[M365-3]: /microsoft-365/admin/add-users/add-users
-[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
-[M365-5]: /microsoft-365/admin/create-groups/create-groups
-
-[O365-1]: /office365/enterprise/set-up-directory-synchronization
-
-[SDS-1]: /schooldatasync/overview-of-school-data-sync

education/windows/tutorial-school-deployment/set-up-microsoft-intune.md

@@ -1,97 +0,0 @@
----
-title: Set up device management
-description: Learn how to configure the Intune service and set up the environment for education.
-ms.date: 01/16/2024
-ms.topic: tutorial
-appliesto:
----
-
-# Set up Microsoft Intune
-
-Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
-
-The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
-
-:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
-
-**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
-
-For more information, see [Intune for Education documentation][INT-1].
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Review Intune's licensing prerequisites
-> - Configure the Intune service for education devices
-
-## Prerequisites
-
-Before configuring settings with Intune for Education, consider the following prerequisites:
-
-- **Intune subscription.** Microsoft Intune is licensed in three ways:
-  - As a standalone service
-  - As part of [Enterprise Mobility + Security][MSFT-1]
-  - As part of a [Microsoft 365 Education subscription][MSFT-2]
-- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
-
-For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
-
-## Configure the Intune service for education devices
-
-The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
-
-### Configure enrollment restrictions
-
-With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
-
-To block personally owned Windows devices from enrolling:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
-1. Select the **Windows restrictions** tab
-1. Select **Create restriction**
-1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
-1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
-    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
-1. Optionally, on the **Scope tags** page, add scope tags > **Next**
-1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
-1. On the **Review + create** page, select **Create** to save the restriction
-
-For more information, see [Create a device platform restriction][MEM-2].
-
-### Disable Windows Hello for Business
-
-Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
-It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
-To disable Windows Hello for Business at the tenant level:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
-1. Select **Save**
-
-:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
-
-For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
-
----
-
-## Next steps
-
-With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Configure devices >](configure-devices-overview.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/licenses
-[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
-[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
-
-[INT-1]: /intune-education/what-is-intune-for-education
-
-[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
-[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
-[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf

education/windows/tutorial-school-deployment/toc.yml

@@ -1,38 +0,0 @@
-items: 
-  - name: Introduction
-    href: index.md
-  - name: 1. Prepare your tenant
-    items:
-      - name: Set up Microsoft Entra ID
-        href: set-up-microsoft-entra-id.md
-      - name: Set up Microsoft Intune
-        href: set-up-microsoft-intune.md
-  - name: 2. Configure settings and applications
-    items:
-      - name: Overview
-        href: configure-devices-overview.md
-      - name: Configure policies
-        href: configure-device-settings.md
-      - name: Configure applications
-        href: configure-device-apps.md        
-  - name: 3. Deploy devices
-    items: 
-      - name: Overview
-        href: enroll-overview.md
-      - name: Enroll devices via Microsoft Entra join
-        href: enroll-entra-join.md
-      - name: Enroll devices with provisioning packages
-        href: enroll-package.md
-      - name: Enroll devices with Windows Autopilot
-        href: enroll-autopilot.md
-  - name: 4. Manage devices
-    items: 
-      - name: Overview
-        href: manage-overview.md
-      - name: Management functionalities for Surface devices
-        href: manage-surface-devices.md       
-      - name: Reset and wipe devices
-        href: reset-wipe.md
-  - name: 5. Troubleshoot and get help
-    href: troubleshoot-overview.md
-    

education/windows/tutorial-school-deployment/troubleshoot-overview.md

@@ -1,56 +0,0 @@
----
-title: Troubleshoot Windows devices
-description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Troubleshoot Windows devices
-
-Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
-Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
-
-- [Troubleshooting device enrollment in Intune][MEM-2]
-- [Troubleshooting Windows Autopilot][MEM-9]
-- [Troubleshoot Windows Wi-Fi profiles][MEM-6]
-- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
-- [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
-- [Troubleshooting CSP custom settings][MEM-8]
-- [Troubleshooting Win32 app installations with Intune][MEM-7]
-- [Troubleshooting device actions in Intune][MEM-3]
-- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
-  :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
-
-## How to contact Microsoft Support
-
-Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-
-Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
-
-- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-- Select **Troubleshooting + support** > **Help and support**
-    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
-- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
-- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
-- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
-  - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
-  - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
-  - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
-- If needed, use the *Contact support* pane to file an online support ticket
-  > [!IMPORTANT]
-  > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
-- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
-
-For more information, see [Microsoft Intune support page][MEM-1]
-
-<!-- Reference links in article -->
-[MEM-1]: /mem/get-support
-[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
-[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
-[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
-[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
-[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
-[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
-[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
-[MEM-9]: /mem/autopilot/troubleshooting
-[MEM-10]: /mem/intune/remote-actions/collect-diagnostics

education/windows/windows-11-se-overview.md

@@ -102,10 +102,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `ContentKeeper Cloud`                     | 9.01.45           | `Win32`    | `ContentKeeper Technologies`              |
 | `DigiExam`                                | 14.1.0            | `Win32`    | `Digiexam`                                |
 | `Digital Secure testing browser`          | 15.0.0            | `Win32`    | `Digiexam`                                |
-| `Dolphin Guide Connect`                   | 1.25              | `Win32`    | `Dolphin Guide Connect`                   |
+| `Dolphin Guide Connect`                   | 1.27              | `Win32`    | `Dolphin Guide Connect`                   |
 | `Dragon Professional Individual`          | 15.00.100         | `Win32`    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 14.0.0.0          | `Store`  | `Data recognition Corporation`              |
-| `Duo from Cisco`                          | 3.0.0             | `Win32`    | `Cisco`                                   |
+| `Duo from Cisco`                          | 6.3.0            | `Win32`    | `Cisco`                                   |
 | `Dyknow`                                  | 7.9.13.7          | `Win32`    | `Dyknow`                                  |
 | `e-Speaking Voice and Speech recognition` | 4.4.0.11          | `Win32`    | `e-speaking`                              |
 | `EasyReader`                              | 10.0.4.498        | `Win32`    | `Dolphin Computer Access`                 |
@@ -114,7 +114,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `ESET Endpoint Security`                  | 10.1.2046.0       | `Win32`    | `ESET`                                    |
 | `ESET Remote Administrator Agent`         | 10.0.1126.0       | `Win32`    | `ESET`                                    |
 | `eTests`                                  | 4.0.25            | `Win32`    | `CASAS`                                   |
-| `Exam Writepad`                           | 23.2.4.2338       | `Win32`    | `Sheldnet`                                |
+| `Exam Writepad`                           | 23.12.10.1200      | `Win32`    | `Sheldnet`                                |
 | `FirstVoices Keyboard`                    | 15.0.270          | `Win32`    | `SIL International`                       |
 | `FortiClient`                             | 7.2.0.4034+       | `Win32`    | `Fortinet`                                |
 | `Free NaturalReader`                      | 16.1.2            | `Win32`    | `Natural Soft`                            |
@@ -126,8 +126,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Immunet`                                 | 7.5.8.21178       | `Win32`    | `Immunet`                                 |
 | `Impero Backdrop Client`                  | 5.0.151           | `Win32`    | `Impero Software`                         |
 | `IMT Lazarus`                             | 2.86.0            | `Win32`    | `IMTLazarus`                              |
+| `Inprint`                                 | 3.7.6             | `Win32`    | `Inprint`                                 |
 | `Inspiration 10`                          | 10.11             | `Win32`    | `TechEdology Ltd`                         |
-| `JAWS for Windows`                        | 2023.2307.37      | `Win32`    | `Freedom Scientific`                      |
+| `Instashare`                              | 1.3.13.0            | `Win32`    | `Instashare`                            |
+| `JAWS for Windows`                        | 2024.2312.53      | `Win32`    | `Freedom Scientific`                      |
 | `Kite Student Portal`                     | 9.0.0.0           | `Win32`    | `Dynamic Learning Maps`                   |
 | `Keyman`                                  | 16.0.142          | `Win32`    | `SIL International`                       |
 | `Kortext`                                 | 2.3.433.0         | `Store`  | `Kortext`                                 |
@@ -155,7 +157,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `NetSupport School`                       | 14.00.0012        | `Win32`    | `NetSupport`                              |
 | `NextUp Talker`                           | 1.0.49            | `Win32`    | `NextUp Technologies`                     |
 | `Netsweeper Workstation Agent`            | 4.50.54.54        | `Win32`    | `Netsweeper`                              |
-| `NonVisual Desktop Access`                | 2023.1.           | `Win32`    | `NV Access`                               |
+| `NonVisual Desktop Access`                | 2023.3            | `Win32`    | `NV Access`                               |
 | `NWEA Secure Testing Browser`             | 5.4.387.0         | `Win32`    | `NWEA`                                    |
 | `PC Talker Neo`                           | 2209              | `Win32`    | `Kochi System Development`                |
 | `PC Talker Neo Plus`                      | 2209              | `Win32`    | `Kochi System Development`                |
@@ -166,7 +168,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `ReadAndWriteForWindows`                  | 12.0.78           | `Win32`    | `Texthelp Ltd.`                           |
 | `Remote Desktop client (MSRDC)`           | 1.2.4487.0        | `Win32`    | `Microsoft`                               |
 | `Remote Help`                             | 5.0.1311.0        | `Win32`    | `Microsoft`                               |
-| `Respondus Lockdown Browser`              | 2.0.9.03          | `Win32`    | `Respondus`                               |
+| `Respondus Lockdown Browser`              | 2.1.1.05          | `Win32`    | `Respondus`                               |
 | `Safe Exam Browser`                       | 3.5.0.544         | `Win32`    | `Safe Exam Browser`                       |
 |`SchoolYear`                               | 3.5.4             | `Win32`    |`SchoolYear`                               |
 |`School Manager`                           | 3.6.10-1149       | `Win32`    |`Linewize`                                 |
@@ -175,9 +177,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Senso.Cloud`                             |2021.11.15.0       | `Win32`    | `Senso.Cloud`                             |
 | `Skoolnext`                               | 2.19              | `Win32`    | `Skool.net`                               |
 | `Smoothwall Monitor`                      | 2.9.2             | `Win32`    | `Smoothwall Ltd`                          |
-| `SuperNova Magnifier & Screen Reader`     | 22.03             | `Win32`    | `Dolphin Computer Access`                 |
+| `SuperNova Magnifier & Screen Reader`     | 22.04             | `Win32`    | `Dolphin Computer Access`                 |
 | `SuperNova Magnifier & Speech`            | 21.03             | `Win32`    | `Dolphin Computer Access`                 |
-|`TX Secure Browser`                        | 15.0.0            | `Win32`    | `Cambium Development`                     |
+| `Snapplify`                               | 6.9.7             | `Win32`    | `Snapplify`                               |
+|`TX Secure Browser`                        | 16.0.0            | `Win32`    | `Cambium Development`                     |
 | `VitalSourceBookShelf`                    | 10.2.26.0         | `Win32`    | `VitalSource Technologies Inc`            |
 |`WA Secure Browser`                        | 16.0.0            | `Win32`    | `Cambium Development`                     |
 | `Winbird`                                 | 19                | `Win32`    | `Winbird Co., Ltd.`                       |
@@ -185,8 +188,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Windows SEB`                             | 3.4.0             | `Win32`    | `Illinois Stateboard of Education`        |
 | `Windows Notepad`                         | 12.0.78           | `Store`    | `Microsoft Corporation`                   |
 | `Zoom`                                    | 5.12.8 (10232)    | `Win32`    | `Zoom`                                    |
-| `ZoomText Fusion`                         | 2023.2307.7.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Fusion`                         | 2024.2310.13.400  | `Win32`    | `Freedom Scientific`                      |
-| `ZoomText Magnifier/Reader`               | 2023.2307.29.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Magnifier/Reader`               | 2024.2312.26.400  | `Win32`    | `Freedom Scientific`                      |
 
 ## Add your own applications
 
@@ -224,4 +227,4 @@ For more information on Intune requirements for adding education apps, see [Conf
 [EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
 [EDUWIN-2]: /education/windows/tutorial-school-deployment/
 
-[WIN-1]: /windows/whats-new/windows-11-requirements
+[WIN-1]: /windows/whats-new/windows-11-requirements

education/windows/windows-11-se-settings-list.md

@@ -2,7 +2,7 @@
 title: Windows 11 SE settings list
 description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
 ms.topic: reference
-ms.date: 08/18/2023
+ms.date: 05/06/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:

windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md

@@ -32,7 +32,7 @@ You can use Internet Information Services' (IIS) network load balancing (NLB) to
 
 Review the following articles to learn more about configuring IIS and NLB for computers running Windows Server operating systems:
 
-* [Achieving High Availability and Scalability - ARR and NLB](https://www.iis.net/learn/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
+* [Achieving High Availability and Scalability - ARR and NLB](/iis/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
 
 * [Network load balancing overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831698(v=ws.11)) will tell you more about how to configure Microsoft Windows Server.
 
@@ -88,13 +88,13 @@ Use the following steps to modify the connection string to include ```failover p
 3. Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the ```failover partner = <server2>``` value.
 4. Restart management service using the IIS console.
   > [!NOTE]
-   >Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
+   >Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](/previous-versions/sql/sql-server-2012/ms143729(v=sql.110)) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
 
-Click any of the following links for more information:
+For more information, see the following articles:
 
 * [Prepare a mirror database for mirroring (SQL Server)](/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server).
 * [Establish a database mirroring session using Windows Authentication (SQL Server Management Studio)](/sql/database-engine/database-mirroring/establish-database-mirroring-session-windows-authentication).
-* [Deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>).
+* [Deprecated database engine features in SQL Server 2012](/previous-versions/sql/sql-server-2012/ms143729(v=sql.110)).
 
 ## Support for Microsoft SQL Server Always On configuration
 

windows/client-management/client-tools/quick-assist.md

@@ -11,7 +11,7 @@ ms.collection:
 
 # Use Quick Assist to help users
 
-Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is an application that enables a person to share their [Windows](#install-quick-assist-on-windows) or [macOS](#install-quick-assist-on-macos) device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
 
 ## Before you begin
 
@@ -89,7 +89,7 @@ Microsoft logs a small amount of session data to monitor the health of the Quick
 
 In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
 
-## Install Quick Assist
+## Install Quick Assist on Windows
 
 ### Install Quick Assist from the Microsoft Store
 
@@ -127,7 +127,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
 1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
 1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
 
-## Microsoft Edge WebView2
+### Microsoft Edge WebView2
 
 The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
 
@@ -136,6 +136,13 @@ The Microsoft Edge WebView2 is a development control that uses Microsoft Edg
 
 For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
 
+## Install Quick Assist on macOS
+
+Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device are not working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device.
+
+> [!NOTE]
+> Quick Assist for macOS is not available outside of Microsoft Support interactions.
+
 ## Next steps
 
 If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).

windows/client-management/manage-windows-copilot.md

@@ -6,6 +6,9 @@ ms.subservice: windows-copilot
 ms.date: 03/21/2024
 ms.author: mstewart
 author: mestew
+ms.collection:
+  - windows-copilot
+  - magic-ai-copilot
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
 ---

windows/client-management/mdm/activesync-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: ActiveSync DDF file
 description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10240</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/applocker-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: AppLocker DDF file
 description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/assignedaccess-csp.md

@@ -1,7 +1,7 @@
 ---
 title: AssignedAccess CSP
 description: Learn more about the AssignedAccess CSP.
-ms.date: 02/29/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -14,7 +14,6 @@ ms.date: 02/29/2024
 The AssignedAccess configuration service provider (CSP) is used to configure a kiosk or restricted user experience. Once the CSP is executed, the next user login that is associated with the Assigned Access profile puts the device into the kiosk mode specified in the CSP configuration.
 
 To learn more about how to configure Assigned Access, see [Configure kiosks and restricted user experiences](/windows/configuration/assigned-access).
-
 <!-- AssignedAccess-Editable-End -->
 
 <!-- AssignedAccess-Tree-Begin -->
@@ -51,7 +50,6 @@ This node accepts an AssignedAccessConfiguration xml as input.
 <!-- Device-Configuration-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 To learn how to configure xml file, see [Create an Assigned Access configuration XML file](/windows/configuration/assigned-access/configuration-file)
-
 <!-- Device-Configuration-Editable-End -->
 
 <!-- Device-Configuration-DFProperties-Begin -->

windows/client-management/mdm/assignedaccess-ddf.md

@@ -1,7 +1,7 @@
 ---
 title: AssignedAccess DDF file
 description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10240</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -54,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A
         </AccessType>
         <Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
 
-Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
+Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. 
 
 When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
 

windows/client-management/mdm/bitlocker-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: BitLocker DDF file
 description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the B
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -142,7 +142,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
                          The format is string.
                          Sample value for this node to enable this policy and set the encryption methods is:
-                       
+                         
 
                          EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
                          EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
@@ -194,7 +194,7 @@ The following XML file contains the device description framework (DDF) for the B
                          Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
                          All of the below settings are for computers with a TPM.
@@ -250,7 +250,7 @@ The following XML file contains the device description framework (DDF) for the B
                          NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
@@ -291,7 +291,7 @@ The following XML file contains the device description framework (DDF) for the B
                          Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          The possible values for 'xx' are:
                          0 = Empty
@@ -344,7 +344,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -402,7 +402,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -454,7 +454,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          Disabling the policy will let the system choose the default behaviors.
                          If you want to disable this policy use the following SyncML:
@@ -495,7 +495,7 @@ The following XML file contains the device description framework (DDF) for the B
                          Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
                          The format is string.
                          Sample value for this node to enable this policy is:
-                       
+                         
 
                          The possible values for 'xx' are:
                          true = Explicitly allow
@@ -575,7 +575,7 @@ The following XML file contains the device description framework (DDF) for the B
                          require reinstallation of Windows.
                          Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
                          The format is integer.
-                         The expected values for this policy are:
+                         The expected values for this policy are: 
 
                          1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
                          0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, 
@@ -623,7 +623,7 @@ The following XML file contains the device description framework (DDF) for the B
                          If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
                          is the current logged on user in the system.
 
-                         The expected values for this policy are:
+                         The expected values for this policy are: 
 
                          1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
                          0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy
@@ -741,7 +741,7 @@ The policy only comes into effect when Active Directory backup for a recovery pa
                               
 * status\RotateRecoveryPasswordsStatus 
                               * status\RotateRecoveryPasswordsRequestID
-                        
+                          
 
                           
 Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\

windows/client-management/mdm/clientcertificateinstall-csp.md

@@ -1,7 +1,7 @@
 ---
 title: ClientCertificateInstall CSP
 description: Learn more about the ClientCertificateInstall CSP.
-ms.date: 01/31/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,6 +9,8 @@ ms.date: 01/31/2024
 <!-- ClientCertificateInstall-Begin -->
 # ClientCertificateInstall CSP
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- ClientCertificateInstall-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
@@ -38,6 +40,7 @@ The following list shows the ClientCertificateInstall configuration service prov
       - [ErrorCode](#devicescepuniqueiderrorcode)
       - [Install](#devicescepuniqueidinstall)
         - [AADKeyIdentifierList](#devicescepuniqueidinstallaadkeyidentifierlist)
+        - [AttestPrivateKey](#devicescepuniqueidinstallattestprivatekey)
         - [CAThumbprint](#devicescepuniqueidinstallcathumbprint)
         - [Challenge](#devicescepuniqueidinstallchallenge)
         - [ContainerName](#devicescepuniqueidinstallcontainername)
@@ -76,6 +79,7 @@ The following list shows the ClientCertificateInstall configuration service prov
       - [ErrorCode](#userscepuniqueiderrorcode)
       - [Install](#userscepuniqueidinstall)
         - [AADKeyIdentifierList](#userscepuniqueidinstallaadkeyidentifierlist)
+        - [AttestPrivateKey](#userscepuniqueidinstallattestprivatekey)
         - [CAThumbprint](#userscepuniqueidinstallcathumbprint)
         - [Challenge](#userscepuniqueidinstallchallenge)
         - [ContainerName](#userscepuniqueidinstallcontainername)
@@ -828,6 +832,45 @@ Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon sepa
 
 <!-- Device-SCEP-{UniqueID}-Install-AADKeyIdentifierList-End -->
 
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Begin -->
+##### Device/SCEP/{UniqueID}/Install/AttestPrivateKey
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Applicability-End -->
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AttestPrivateKey
+```
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-OmaUri-End -->
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation.
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Description-End -->
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Editable-End -->
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Get |
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-DFProperties-End -->
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-Examples-End -->
+
+<!-- Device-SCEP-{UniqueID}-Install-AttestPrivateKey-End -->
+
 <!-- Device-SCEP-{UniqueID}-Install-CAThumbprint-Begin -->
 ##### Device/SCEP/{UniqueID}/Install/CAThumbprint
 
@@ -2402,6 +2445,55 @@ Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon sepa
 
 <!-- User-SCEP-{UniqueID}-Install-AADKeyIdentifierList-End -->
 
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Begin -->
+##### User/SCEP/{UniqueID}/Install/AttestPrivateKey
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Applicability-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AttestPrivateKey
+```
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-OmaUri-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Description-Begin -->
+<!-- Description-Source-DDF -->
+Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation.
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Description-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Editable-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Get |
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-DFProperties-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Don't attest private key. |
+| 1 | Attest key, but in case attestation failed, best effort approach - CSR is sent to the server. |
+| 2 | Attest key, but in case attestation failed, fail fast (i.e release the key and not issue a CSR to the server). |
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-AllowedValues-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-Examples-End -->
+
+<!-- User-SCEP-{UniqueID}-Install-AttestPrivateKey-End -->
+
 <!-- User-SCEP-{UniqueID}-Install-CAThumbprint-Begin -->
 ##### User/SCEP/{UniqueID}/Install/CAThumbprint
 

windows/client-management/mdm/clientcertificateinstall-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: ClientCertificateInstall DDF file
 description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.date: 01/31/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -72,8 +72,8 @@ The following XML file contains the device description framework (DDF) for the C
             <Get />
             <Replace />
           </AccessType>
-          <Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+          <Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. 
-Format is node.
+Format is node. 
 Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
 </Description>
           <DFFormat>
@@ -143,7 +143,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
               <Get />
               <Replace />
             </AccessType>
-            <Description>Optional.
+            <Description>Optional. 
 Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
             <DFFormat>
               <chr />
@@ -169,7 +169,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this
               <Get />
               <Replace />
             </AccessType>
-            <Description>Required.
+            <Description>Required. 
 CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
 If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
 If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
@@ -227,7 +227,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/
             </AccessType>
             <DefaultValue>0</DefaultValue>
             <Description>Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
-If the value is
+If the value is 
 0 - Password is not encrypted
 1- Password is encrypted using the MDM certificate by the MDM server
 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.</Description>
@@ -353,7 +353,7 @@ If the value is
               <Get />
               <Replace />
             </AccessType>
-            <Description>Optional.
+            <Description>Optional. 
 When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. </Description>
             <DFFormat>
               <chr />
@@ -413,7 +413,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
             <Get />
             <Replace />
           </AccessType>
-          <Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+          <Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. 
 Calling Delete on the this node, should delete the corresponding SCEP certificate</Description>
           <DFFormat>
             <node />
@@ -560,6 +560,46 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
+          <Node>
+            <NodeName>AttestPrivateKey</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Get />
+              </AccessType>
+              <Description>Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:Applicability>
+                <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+                <MSFT:CspVersion>9.9</MSFT:CspVersion>
+              </MSFT:Applicability>
+              <MSFT:AllowedValues ValueType="ENUM">
+                <MSFT:Enum>
+                  <MSFT:Value>0</MSFT:Value>
+                  <MSFT:ValueDescription> Do not attest private key</MSFT:ValueDescription>
+                </MSFT:Enum>
+                <MSFT:Enum>
+                  <MSFT:Value>1</MSFT:Value>
+                  <MSFT:ValueDescription> Attest key, but in case attestation failed, best effort approach - CSR is sent to the server </MSFT:ValueDescription>
+                </MSFT:Enum>
+                <MSFT:Enum>
+                  <MSFT:Value>2</MSFT:Value>
+                  <MSFT:ValueDescription> Attest key, but in case attestation failed, fail fast (i.e release the key and not issue a CSR to the server) </MSFT:ValueDescription>
+                </MSFT:Enum>
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
           <Node>
             <NodeName>SubjectName</NodeName>
             <DFProperties>
@@ -596,7 +636,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
                 <Replace />
               </AccessType>
               <DefaultValue>3</DefaultValue>
-              <Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+              <Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. 
 SCEP enrolled cert doesn’t support TPM PIN protection. </Description>
               <DFFormat>
                 <int />
@@ -640,7 +680,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. </Description>
                 <Replace />
               </AccessType>
               <DefaultValue>5</DefaultValue>
-              <Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+              <Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. 
 
 Default value is: 5
 The min value is 1. </Description>
@@ -725,7 +765,7 @@ The min value is 0 which means no retry. </Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Required for enrollment. Specify private key length (RSA).
+              <Description>Required for enrollment. Specify private key length (RSA). 
 Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</Description>
               <DFFormat>
                 <int />
@@ -764,7 +804,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</D
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+              <Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. 
 
 For NGC, only SHA256 is supported as the supported algorithm</Description>
               <DFFormat>
@@ -845,7 +885,7 @@ For NGC, only SHA256 is supported as the supported algorithm</Description>
                 <Replace />
               </AccessType>
               <DefaultValue>Days</DefaultValue>
-              <Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+              <Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. 
 MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.</Description>
               <DFFormat>
                 <chr />
@@ -885,7 +925,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio
                 <Replace />
               </AccessType>
               <DefaultValue>0</DefaultValue>
-              <Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+              <Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. 
 NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.</Description>
               <DFFormat>
                 <int />
@@ -912,7 +952,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Optional.
+              <Description>Optional. 
 Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
               <DFFormat>
                 <chr />
@@ -1155,8 +1195,8 @@ Valid values are:
             <Get />
             <Replace />
           </AccessType>
-          <Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+          <Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. 
-Format is node.
+Format is node. 
 Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
 </Description>
           <DFFormat>
@@ -1226,7 +1266,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
               <Get />
               <Replace />
             </AccessType>
-            <Description>Optional.
+            <Description>Optional. 
 Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
             <DFFormat>
               <chr />
@@ -1252,7 +1292,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this
               <Get />
               <Replace />
             </AccessType>
-            <Description>Required.
+            <Description>Required. 
 CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
 If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
 If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
@@ -1310,7 +1350,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/
             </AccessType>
             <DefaultValue>0</DefaultValue>
             <Description>Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
-If the value is
+If the value is 
 0 - Password is not encrypted
 1- Password is encrypted using the MDM certificate by the MDM server
 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.</Description>
@@ -1436,7 +1476,7 @@ If the value is
               <Get />
               <Replace />
             </AccessType>
-            <Description>Optional.
+            <Description>Optional. 
 When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. </Description>
             <DFFormat>
               <chr />
@@ -1496,7 +1536,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
             <Get />
             <Replace />
           </AccessType>
-          <Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+          <Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. 
 Calling Delete on the this node, should delete the corresponding SCEP certificate</Description>
           <DFFormat>
             <node />
@@ -1643,6 +1683,34 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>
+          <Node>
+            <NodeName>AttestPrivateKey</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Get />
+              </AccessType>
+              <Description>Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME />
+              </DFType>
+              <MSFT:Applicability>
+                <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+                <MSFT:CspVersion>9.9</MSFT:CspVersion>
+              </MSFT:Applicability>
+              <MSFT:AllowedValues ValueType="None">
+              </MSFT:AllowedValues>
+            </DFProperties>
+          </Node>
           <Node>
             <NodeName>SubjectName</NodeName>
             <DFProperties>
@@ -1679,7 +1747,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
                 <Replace />
               </AccessType>
               <DefaultValue>3</DefaultValue>
-              <Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+              <Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. 
 SCEP enrolled cert doesn’t support TPM PIN protection. </Description>
               <DFFormat>
                 <int />
@@ -1723,7 +1791,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. </Description>
                 <Replace />
               </AccessType>
               <DefaultValue>5</DefaultValue>
-              <Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+              <Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. 
 
 Default value is: 5
 The min value is 1. </Description>
@@ -1808,7 +1876,7 @@ The min value is 0 which means no retry. </Description>
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Required for enrollment. Specify private key length (RSA).
+              <Description>Required for enrollment. Specify private key length (RSA). 
 Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</Description>
               <DFFormat>
                 <int />
@@ -1847,7 +1915,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</D
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+              <Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. 
 
 For NGC, only SHA256 is supported as the supported algorithm</Description>
               <DFFormat>
@@ -1928,7 +1996,7 @@ For NGC, only SHA256 is supported as the supported algorithm</Description>
                 <Replace />
               </AccessType>
               <DefaultValue>Days</DefaultValue>
-              <Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+              <Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. 
 MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.</Description>
               <DFFormat>
                 <chr />
@@ -1968,7 +2036,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio
                 <Replace />
               </AccessType>
               <DefaultValue>0</DefaultValue>
-              <Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+              <Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. 
 NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.</Description>
               <DFFormat>
                 <int />
@@ -1995,7 +2063,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
                 <Get />
                 <Replace />
               </AccessType>
-              <Description>Optional.
+              <Description>Optional. 
 Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
               <DFFormat>
                 <chr />

windows/client-management/mdm/declaredconfiguration-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: DeclaredConfiguration DDF file
 description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
         <MSFT:CspVersion>9.9</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/devdetail-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: DevDetail DDF file
 description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/devicemanageability-ddf.md

@@ -1,7 +1,7 @@
 ---
 title: DeviceManageability DDF file
 description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/devicepreparation-csp.md

@@ -1,7 +1,7 @@
 ---
 title: DevicePreparation CSP
 description: Learn more about the DevicePreparation CSP.
-ms.date: 01/31/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -184,6 +184,15 @@ This node indicates whether the MDM agent was installed or not. When set to true
 | Default Value  | False |
 <!-- Device-MDMProvider-MdmAgentInstalled-DFProperties-End -->
 
+<!-- Device-MDMProvider-MdmAgentInstalled-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Mdm Agent Not Installed. |
+| true | Mdm Agent Installed. |
+<!-- Device-MDMProvider-MdmAgentInstalled-AllowedValues-End -->
+
 <!-- Device-MDMProvider-MdmAgentInstalled-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Examples-End -->
@@ -263,6 +272,15 @@ This node indicates whether an MDM policy was provisioned that requires a reboot
 | Default Value  | False |
 <!-- Device-MDMProvider-RebootRequired-DFProperties-End -->
 
+<!-- Device-MDMProvider-RebootRequired-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | No Reboot Required. |
+| true | Reboot Required. |
+<!-- Device-MDMProvider-RebootRequired-AllowedValues-End -->
+
 <!-- Device-MDMProvider-RebootRequired-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-MDMProvider-RebootRequired-Examples-End -->
@@ -303,6 +321,15 @@ This node determines whether to show the Device Preparation page during OOBE.
 | Default Value  | false |
 <!-- Device-PageEnabled-DFProperties-End -->
 
+<!-- Device-PageEnabled-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false (Default) | Disable Page. |
+| true | Enable Page. |
+<!-- Device-PageEnabled-AllowedValues-End -->
+
 <!-- Device-PageEnabled-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-PageEnabled-Examples-End -->

windows/client-management/mdm/devicepreparation-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: DevicePreparation DDF file
 description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
-ms.date: 01/31/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -64,6 +64,16 @@ The following XML file contains the device description framework (DDF) for the D
         <DFType>
           <MIME />
         </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>false</MSFT:Value>
+            <MSFT:ValueDescription>Disable Page</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>true</MSFT:Value>
+            <MSFT:ValueDescription>Enable Page</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
       </DFProperties>
     </Node>
     <Node>
@@ -320,6 +330,16 @@ The following XML file contains the device description framework (DDF) for the D
           <DFType>
             <MIME />
           </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>false</MSFT:Value>
+              <MSFT:ValueDescription>Mdm Agent Not Installed</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>true</MSFT:Value>
+              <MSFT:ValueDescription>Mdm Agent Installed</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
         </DFProperties>
       </Node>
       <Node>
@@ -342,6 +362,16 @@ The following XML file contains the device description framework (DDF) for the D
           <DFType>
             <MIME />
           </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>false</MSFT:Value>
+              <MSFT:ValueDescription>No Reboot Required</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>true</MSFT:Value>
+              <MSFT:ValueDescription>Reboot Required</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
         </DFProperties>
       </Node>
     </Node>

windows/client-management/mdm/devicestatus-ddf.md

@@ -1,7 +1,7 @@
 ---
 title: DeviceStatus DDF file
 description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/devinfo-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: DevInfo DDF file
 description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -41,7 +41,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/diagnosticlog-ddf.md

@@ -1,7 +1,7 @@
 ---
 title: DiagnosticLog DDF file
 description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.2</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/dmacc-csp.md

@@ -1,7 +1,7 @@
 ---
 title: DMAcc CSP
 description: Learn more about the DMAcc CSP.
-ms.date: 01/31/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -709,7 +709,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Get, Replace |
-| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel` <br> Dependency Allowed Value: `SRVCRED` <br> Dependency Allowed Value Type: `ENUM` <br>  |
+| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel` <br> Dependency Allowed Value: `SRVCRED` <br> Dependency Allowed Value Type: `ENUM` <br>  |
 <!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-DFProperties-End -->
 
 <!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-AllowedValues-Begin -->

windows/client-management/mdm/dmacc-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: DMAcc DDF file
 description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
-ms.date: 01/31/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -527,7 +527,7 @@ The following XML file contains the device description framework (DDF) for the D
                     </MSFT:Enum>
                   </MSFT:DependencyChangedAllowedValues>
                   <MSFT:Dependency Type="DependsOn">
-                    <MSFT:DependencyUri>Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel</MSFT:DependencyUri>
+                    <MSFT:DependencyUri>SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel</MSFT:DependencyUri>
                     <MSFT:DependencyAllowedValue ValueType="ENUM">
                       <MSFT:Enum>
                         <MSFT:Value>SRVCRED</MSFT:Value>

windows/client-management/mdm/dmclient-csp.md

@@ -1,7 +1,7 @@
 ---
 title: DMClient CSP
 description: Learn more about the DMClient CSP.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -632,7 +632,7 @@ This node, when it's set, tells the client to set how many minutes the device sh
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.3235] and later <br> ✅ Windows Insider Preview |
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Applicability-End -->
 
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-OmaUri-Begin -->
@@ -671,7 +671,7 @@ Parent node for ConfigRefresh nodes.
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.3235] and later <br> ✅ Windows Insider Preview |
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-Applicability-End -->
 
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Cadence-OmaUri-Begin -->
@@ -712,7 +712,7 @@ This node determines the number of minutes between refreshes.
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.3235] and later <br> ✅ Windows Insider Preview |
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-Applicability-End -->
 
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-Enabled-OmaUri-Begin -->
@@ -761,7 +761,7 @@ This node determines whether or not a periodic settings refresh for MDM policies
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.3235] and later <br> ✅ Windows Insider Preview |
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-Applicability-End -->
 
 <!-- Device-Provider-{ProviderID}-ConfigRefresh-PausePeriod-OmaUri-Begin -->

windows/client-management/mdm/dmclient-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: DMClient DDF file
 description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10240</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -477,7 +477,7 @@ The following XML file contains the device description framework (DDF) for the D
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10240</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -2958,7 +2958,7 @@ The following XML file contains the device description framework (DDF) for the D
               <DDFName />
             </DFType>
             <MSFT:Applicability>
-              <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+              <MSFT:OsBuildVersion>99.9.99999, 10.0.22621.3235, 10.0.22000.2836</MSFT:OsBuildVersion>
               <MSFT:CspVersion>1.6</MSFT:CspVersion>
             </MSFT:Applicability>
           </DFProperties>

windows/client-management/mdm/email2-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: EMAIL2 DDF file
 description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the E
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10240</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
       <MSFT:Deprecated />
     </DFProperties>

windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: EnterpriseDesktopAppManagement DDF file
 description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the E
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -400,7 +400,7 @@ The following XML file contains the device description framework (DDF) for the E
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -1,7 +1,7 @@
 ---
 title: EnterpriseModernAppManagement CSP
 description: Learn more about the EnterpriseModernAppManagement CSP.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -4602,7 +4602,7 @@ Specifies HoursBetweenUpdateChecks for a specific package.
 
 | Property name | Property value |
 |:--|:--|
-| Format | `bool` |
+| Format | `int` |
 | Access Type | Get, Replace |
 | Allowed Values | Range: `[8-10000]` |
 | Default Value  | 8 |

windows/client-management/mdm/enterprisemodernappmanagement-ddf.md

@@ -1,7 +1,7 @@
 ---
 title: EnterpriseModernAppManagement DDF file
 description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the E
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -2587,7 +2587,7 @@ The following XML file contains the device description framework (DDF) for the E
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -4550,7 +4550,7 @@ The following XML file contains the device description framework (DDF) for the E
                   <DefaultValue>8</DefaultValue>
                   <Description>Specifies HoursBetweenUpdateChecks for a specific package</Description>
                   <DFFormat>
-                    <bool />
+                    <int />
                   </DFFormat>
                   <Occurrence>
                     <One />

windows/client-management/mdm/euiccs-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: eUICCs DDF file
 description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -43,7 +43,7 @@ The following XML file contains the device description framework (DDF) for the e
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>

windows/client-management/mdm/firewall-ddf-file.md

@@ -1,7 +1,7 @@
 ---
 title: Firewall DDF file
 description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/10/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the F
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -4337,6 +4337,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
                 <MIME />
               </DFType>
               <MSFT:AllowedValues ValueType="SDDL">
+                <MSFT:List Delimiter="," />
               </MSFT:AllowedValues>
             </DFProperties>
           </Node>