Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into releasehealth-8884260

windows/deployment/TOC.yml

@@ -16,13 +16,9 @@
         - name: Prepare servicing strategy for Windows client updates
           href: update/waas-servicing-strategy-windows-10-updates.md
         - name: Deployment proof of concept
-          items:
-            - name: Deploy Windows 10 with MDT and Configuration Manager
           items:
             - name: 'Step by step guide: Configure a test lab to deploy Windows 10'
               href: windows-10-poc.md
-                - name: Deploy Windows 10 in a test lab using MDT
-                  href: windows-10-poc-mdt.md
             - name: Deploy Windows 10 in a test lab using Configuration Manager
               href: windows-10-poc-sc-config-mgr.md
         - name: Deployment process posters
@@ -79,10 +75,6 @@
           href: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
         - name: Configure BranchCache for Windows client updates
           href: update/waas-branchcache.md
-        - name: Prepare your deployment tools
-          items:
-            - name: Prepare for deployment with MDT
-              href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
         - name: Prepare for deployment with Configuration Manager
           href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
         - name: Build a successful servicing strategy
@@ -112,16 +104,6 @@
                   href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
                 - name: In-place upgrade
                   href: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
-            - name: Deploy Windows client with MDT
-              items:
-                - name: Deploy to a new device
-                  href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
-                - name: Refresh a device
-                  href: deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
-                - name: Replace a device
-                  href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
-                - name: In-place upgrade
-                  href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
         - name: Deploy Windows client updates
           items:
             - name: Assign devices to servicing channels

windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md

@@ -17,7 +17,7 @@ ms.date: 10/27/2022
 
 - Windows 10
 
-This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation.
 
 A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
 

windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md

@@ -19,7 +19,7 @@ ms.date: 10/27/2022
 
 In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
 
-In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006.
 
 ## Infrastructure
 
@@ -221,11 +221,11 @@ Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager
 
 ## Related articles
 
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
+- [Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
+- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
+- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)

windows/deployment/do/mcc-enterprise-prerequisites.md

@@ -19,16 +19,16 @@ ms.date: 11/07/2023
 # Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
 
 > [!NOTE]
-> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
+> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
 
 ## Enterprise requirements for MCC
 
 1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
 
-    Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
+    Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription costs you nothing. If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
 
     The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
-1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
+1. **Hardware to host MCC**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
   
    > [!NOTE]
    > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
@@ -36,7 +36,7 @@ ms.date: 11/07/2023
     **EFLOW requires Hyper-V support**
     - On Windows client, enable the Hyper-V feature.
     - On Windows Server, install the Hyper-V role and create a default network switch.
-    - For additional requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
+    - For more requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
 
     Disk recommendations:
     - Using an SSD is recommended as cache read speed of SSD is superior to HDD
@@ -44,7 +44,7 @@ ms.date: 11/07/2023
     NIC requirements:
     - Multiple NICs on a single MCC instance aren't supported.
     - 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
-    - For best performance, NIC and BIOS should support SR-IOV
+    - For best performance, NIC and BIOS should support SR-IOV.
 
     VM networking:
     -  An external virtual switch to support outbound and inbound network communication (created during the installation process)

windows/deployment/index.yml

@@ -1,4 +1,4 @@
-### YamlMime:Hub
+### YamlMime:Landing
 
 title: Deploy and update Windows # < 60 chars; shows at top of hub page
 summary: Learn about deploying and updating Windows client devices in your organization. # < 160 chars
@@ -6,7 +6,7 @@ summary: Learn about deploying and updating Windows client devices in your organ
 metadata:
   title: Windows client deployment documentation # Required; browser tab title displayed in search results. Include the brand. < 60 chars.
   description: Learn about deploying and updating Windows client devices in your organization. # Required; article description that is displayed in search results. < 160 chars.
-  ms.topic: hub-page
+  ms.topic: landing-page
   ms.service: windows-client
   ms.subservice: itpro-deploy
   ms.collection:
@@ -15,16 +15,16 @@ metadata:
   author: aczechowski
   ms.author: aaroncz
   manager: aaroncz
-  ms.date: 01/18/2024
+  ms.date: 04/01/2024
   localization_priority: medium
 
-# common graphics: https://review.learn.microsoft.com/content-production-service/internal/image-gallery?branch=main
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 
-productDirectory:
+landingContent:
-  title: Get started
+
-  items:
+- title: Plan
-    - title: Plan
+  linkLists:
-      imageSrc: /media/common/i_overview.svg
+  - linkListType: concept
     links:
     - text: Plan for Windows 11
       url: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
@@ -39,8 +39,9 @@ productDirectory:
     - text: Plan for volume activation
       url: volume-activation/plan-for-volume-activation-client.md
 
-    - title: Prepare
+- title: Prepare
-      imageSrc: /media/common/i_tasks.svg
+  linkLists:
+  - linkListType: get-started
     links:
     - text: Prepare for Windows 11
       url: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
@@ -55,8 +56,9 @@ productDirectory:
     - text: Prepare for imaging with Configuration Manager
       url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
 
-    - title: Deploy
+- title: Deploy
-      imageSrc: /media/common/i_deploy.svg
+  linkLists:
+  - linkListType: deploy
     links:
     - text: Deploy Windows with Autopilot
       url: /mem/autopilot/tutorial/autopilot-scenarios
@@ -71,12 +73,9 @@ productDirectory:
     - text: Check release health
       url: update/check-release-health.md
 
-additionalContent:
+- title: Windows Autopilot
-  sections:
+  linkLists:
-    - title: Solutions
+  - linkListType: how-to-guide
-      items:
-
-      - title: Windows Autopilot
     links:
       - text: Overview
         url: /mem/autopilot/windows-autopilot
@@ -87,7 +86,9 @@ additionalContent:
       - text: Learn more about Windows Autopilot >
         url: /mem/autopilot
 
-      - title: Windows Autopatch
+- title: Windows Autopatch
+  linkLists:
+  - linkListType: how-to-guide
     links:
       - text: What is Windows Autopatch?
         url: windows-autopatch/overview/windows-autopatch-overview.md
@@ -98,7 +99,9 @@ additionalContent:
       - text: Learn more about Windows Autopatch >
         url: windows-autopatch/index.yml
 
-      - title: Windows Update for Business
+- title: Windows Update for Business
+  linkLists:
+  - linkListType: how-to-guide
     links:
       - text: What is Windows Update for Business?
         url: update/waas-manage-updates-wufb.md
@@ -109,7 +112,9 @@ additionalContent:
       - text: Windows Update for Business reports overview
         url: update/wufb-reports-overview.md
 
-      - title: Optimize and cache content
+- title: Optimize and cache content
+  linkLists:
+  - linkListType: how-to-guide
     links:
       - text: What is Delivery Optimization?
         url: do/waas-delivery-optimization.md
@@ -120,7 +125,9 @@ additionalContent:
       - text: Learn more about Delivery Optimization >
         url: do/index.yml
 
-      - title: In-place upgrade and imaging
+- title: In-place upgrade and imaging
+  linkLists:
+  - linkListType: how-to-guide
     links:
       - text: Upgrade Windows using Configuration Manager
         url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@@ -131,7 +138,9 @@ additionalContent:
       - text: Resolve Windows upgrade errors
         url: upgrade/resolve-windows-upgrade-errors.md
 
-      - title: Licensing and activation
+- title: Licensing and activation
+  linkLists:
+  - linkListType: how-to-guide
     links:
       - text: Plan for volume activation
         url: volume-activation/plan-for-volume-activation-client.md
@@ -144,10 +153,12 @@ additionalContent:
       - text: Windows commercial licensing overview
         url: /windows/whats-new/windows-licensing
 
-    - title: More resources
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
-      items:
 
-      - title: Release and lifecycle
+- title: More resources
+  linkLists:
+  - linkListType: reference
+    # Release and lifecycle
     links:
       - text: Windows release health dashboard
         url: /windows/release-health
@@ -155,26 +166,17 @@ additionalContent:
         url: /windows/whats-new/feature-lifecycle
       - text: Lifecycle FAQ - Windows
         url: /lifecycle/faq/windows
-
+  - linkListType: download
-      - title: Windows hardware
+    # Windows hardware
     links:
       - text: Download and install the Windows ADK
         url: /windows-hardware/get-started/adk-install
       - text: Deployment tools
         url: /windows-hardware/manufacture/desktop/boot-and-install-windows
-#          - text: 
+  - linkListType: whats-new
-#            url: 
+    # Community
-#          - text: 
-#            url: 
-
-      - title: Community
     links:
       - text: Windows IT pro blog
         url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
       - text: Windows office hours
         url: https://aka.ms/windows/officehours
-#          - text: 
-#            url: 
-#          - text: 
-#            url: 
-

windows/deployment/planning/windows-10-enterprise-faq-itpro.yml

@@ -82,7 +82,7 @@ sections:
       - question: |
           Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
         answer: |
-          Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
+          Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md).
 
       - question: |
           Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?

windows/deployment/wds-boot-support.md

@@ -61,6 +61,5 @@ If you currently use WDS with **boot.wim** from installation media for end-to-en
 
 ## Also see
 
-[Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)<br>
+- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)
-[Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
+- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)<br>

windows/deployment/windows-10-poc.md

@@ -22,10 +22,7 @@ This guide contains instructions to configure a proof of concept (PoC) environme
 > [!NOTE]
 > Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab).
 
-This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
+This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
-
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
-- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
 
 The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
 
@@ -1044,4 +1041,5 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 ## Next steps
 
-- [Windows 10 deployment scenarios](windows-deployment-scenarios.md).
+- [Windows 10 deployment scenarios](windows-deployment-scenarios.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)

windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md

@@ -79,24 +79,6 @@ These policies control the minimum target version of Windows that a device is me
 | Included groups | Modern Workplace Devices-Windows Autopatch-Test  | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad |
 | Excluded groups | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices |
 
-#### Windows 11 testing
-
-To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment.
-
-##### Windows 11 deployment setting
-
-| Setting name | Test |
-| ----- | ----- |
-| Name | Windows 11 |
-| Rollout options | Immediate start |
-
-##### Windows 11 assignments
-
-| Setting name | Test |
-| ----- | ----- |
-| Included groups | Modern Workplace - Windows 11 Pre-Release Test Devices |
-| Excluded groups | None |
-
 ## Conflicting and unsupported policies
 
 Deploying any of the following policies to a Windows Autopatch device makes that device ineligible for management since the device prevents us from delivering the service as designed.

windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md

@@ -11,7 +11,7 @@ ms.date: 12/01/2022
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
 
-As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
+As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
 
 If you have an internal CA, complete these steps to create a code signing certificate.
 
@@ -20,7 +20,7 @@ If you have an internal CA, complete these steps to create a code signing certif
 >
 > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
 > - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
-> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
+> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA256.
 > - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
 
 1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.

windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md

@@ -75,7 +75,7 @@ When finished, the tool saves the files to your desktop. You can view the `*.cdf
 
 ## Sign your catalog file
 
-Now that you've created a catalog file for your app, you're ready to sign it.
+Now that you've created a catalog file for your app, you're ready to sign it. We recommend using [Microsoft's Trusted Signing service](/azure/trusted-signing/) for catalog signing. Optionally, you can manually sign the catalog using Signtool using the following instructions.
 
 ### Catalog signing with SignTool.exe
 
@@ -336,13 +336,16 @@ Some of the known issues using Package Inspector to build a catalog file are:
     - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:<br>
     `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
     - The above command should return an error if the older USNs don't exist anymore due to overflow
-    - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help
+    - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help.
+
 - **CodeIntegrity - Operational event log is too small to track all files created by the installer**
   - To diagnose whether Eventlog size is the issue, after running through Package Inspector:
     - Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch.
-    - To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values
+    - To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values.
+
 - **Installer or app files that change hash each time the app is installed or run**
   - Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package doesn't work with Package Inspector.
+
 - **Files with an invalid signature blob or otherwise "unhashable" files**
   - This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec.
   - Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your policy that uses the file's flat file hash.

windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md

@@ -38,6 +38,6 @@ For more information on using signed policies, see [Use signed policies to prote
 
 Some ways to obtain code signing certificates for your own use, include:
 
+- Use Microsoft's [Trusted Signing service](/azure/trusted-signing/).
 - Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
 - To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
-- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).