diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index 14093198a2..73d61658e2 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -56,7 +56,10 @@
         "jborsecnik",
         "tiburd",
         "garycentric",
-        "beccarobins"
+        "beccarobins",
+        "Stacyrch140",
+        "v-stsavell",
+        "American-Dipper"
       ]
     },
     "fileMetadata": {},
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 4c9144fdb9..a1273e7bd7 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -13,20 +13,25 @@ ms.collection:
 
 # Configure federated sign-in for Windows devices
 
-Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
-This feature is called *federated sign-in*.\
-Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via a web sign-in experience.
+Signing in with a federated identity can be a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
 
 ## Benefits of federated sign-in
 
-Federated sign-in enables students to sign-in in less time, and with less friction.
+A federated sign-in experience enables students to sign-in in less time, and with less friction.
 With fewer credentials to remember and a simplified sign-in process, students are more engaged and focused on learning.
+
+There are two Windows features that enable a federated sign-in experience:
+
+- *Federated sign-in*, which is designed for 1:1 student devices. For an optimal experience, you should not enable federated sign-in on shared devices
+- *Web sign-in*, which provides a similar experience to *Federated sign-in*, and can be used for shared devices
+
 > [!IMPORTANT]
-> Currently, this feature is designed for 1:1 devices. For an optimal experience, you should not enable federated sign-in on shared devices.
+> *Federated sign-in* and *Web sign-in* require different configurations, which are explained in this document.
 
 ## Prerequisites
 
-To implement federated sign-in, the following prerequisites must be met:
+To enable a federated sign-in experience, the following prerequisites must be met:
 
 1. A Microsoft Entra tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Microsoft Entra ID?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
     >[!NOTE]
@@ -43,9 +48,9 @@ To implement federated sign-in, the following prerequisites must be met:
 
     For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
 1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
-1. Enable federated sign-in on the Windows devices
+1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
 
-To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
+To use Federated sign-in or Web sign-in, the devices must have Internet access. These features don't work without it, as the authentication is done over the Internet.
 
 > [!IMPORTANT]
 > WS-Fed is the only supported federated protocol to join a device to Microsoft Entra ID. If you have a SAML 2.0 IdP, it's recommended to complete the Microsoft Entra join process using one of the following methods:
@@ -54,25 +59,25 @@ To use federated sign-in, the devices must have Internet access. This feature do
 
 [!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
 
-Federated sign-in for student assigned (1:1) devices is supported on the following Windows editions and versions:
+Federated sign-in is supported on the following Windows editions and versions:
 
 - Windows 11 SE, version 22H2 and later
 - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
 
-Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
+Web sign-in is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
 
-## Configure federated sign-in
+## Configure a federated sign-in experience
 
-You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
+You can configure a federated sign-in experience for student assigned (1:1) devices or student shared devices:
 
-- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
-- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
+- When federated sign-in is configured for **student assigned (1:1) devices**, you use a Windows feature called *Federated sign-in*. The first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
+- When federated sign-in is configured for **student shared devices**, you use a Windows feature called *Web sign-in*. With Web sign-in there's no primary user, and the sign-in screen displays, by default, the last user who signed in to the device
 
 The configuration is different for each scenario, and is described in the following sections.
 
-### Configure federated sign-in for student assigned (1:1) devices
+### Configure Federated sign-in for student assigned (1:1) devices
 
-To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
@@ -98,7 +103,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
-To configure federated sign-in using a provisioning package, use the following settings:
+To configure Federated sign-in using a provisioning package, use the following settings:
 
 | Setting |
 |--------|
@@ -109,16 +114,16 @@ To configure federated sign-in using a provisioning package, use the following s
 
 :::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
 
-Apply the provisioning package to the single-user devices that require federated sign-in.
+Apply the provisioning package to the 1:1 devices that require Federated sign-in.
 
 > [!IMPORTANT]
 > There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
 
 ---
 
-### Configure federated sign-in for student shared devices
+### Configure Web sign-in for student shared devices
 
-To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
+Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
@@ -146,7 +151,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
-To configure federated sign-in using a provisioning package, use the following settings:
+To configure web sign-in using a provisioning package, use the following settings:
 
 | Setting |
 |--------|
@@ -156,7 +161,7 @@ To configure federated sign-in using a provisioning package, use the following s
 | <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
 | <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
 
-Apply the provisioning package to the shared devices that require federated sign-in.
+Apply the provisioning package to the shared devices that require web sign-in.
 
 > [!IMPORTANT]
 > There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
@@ -172,7 +177,7 @@ As users enter their username, they're redirected to the identity provider sign-
 :::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
 
 > [!IMPORTANT]
-> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
+> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the Federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
 > The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Microsoft Entra tenant name is configured.
 
 ## Important considerations
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index e711afcc6a..853f60c4dd 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -19,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local
 - The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
 - The enterprise has configured a Mobile Device Management (MDM) service.
 - The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
-- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
+- Service connection point (SCP) configuration. For more information, see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
 - The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
 - The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
 
@@ -36,7 +36,7 @@ The autoenrollment relies on the presence of an MDM service and the Microsoft En
 > [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
 
-When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multifactor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
 - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
 - Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
@@ -52,20 +52,13 @@ To configure autoenrollment using a group policy, use the following steps:
 1. Link the GPO.
 1. Filter using Security Groups.
 
-If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
+If you don't see the policy, get the latest ADMX for your Windows version. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
 
 1. Download the administrative templates for the desired version:
 
-   - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
-   - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
-   - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
-   - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
-   - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
-   - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
-   - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
-   - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
-   - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
-   - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
+   - [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667)
+   - [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593)
+   - [Windows 10, version 22H2](https://www.microsoft.com/download/details.aspx?id=104677)
 
 1. Install the package on the Domain Controller.
 
@@ -96,9 +89,9 @@ This procedure is only for illustration purposes to show how the new autoenrollm
    >
    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
 
-When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+When a group policy refresh occurs on the client, a task is created and scheduled to run every five minutes for one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
 
-If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
+If two-factor authentication is required, you're prompted to complete the process. Here's an example screenshot.
 
 :::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
 
@@ -124,10 +117,10 @@ In **Task Scheduler Library**, open **Microsoft > Windows** , then select **Ente
 
 To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab.
 
-The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
+The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`), which can be caused by enabling the **Disable MDM Enrollment** policy.
 
 > [!NOTE]
-> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
+> The GPEdit console doesn't reflect the status of policies set by your organization on your device. It's only used by the user to set policies.
 
 ## Related articles
 
diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md
index 81b438b379..b8a0a69fad 100644
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 10/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -26,16 +26,72 @@ ms.topic: reference
 The following list shows the CloudDesktop configuration service provider nodes:
 
 - ./Device/Vendor/MSFT/CloudDesktop
+  - [BootToCloudPCEnhanced](#boottocloudpcenhanced)
   - [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
 <!-- CloudDesktop-Tree-End -->
 
+<!-- Device-BootToCloudPCEnhanced-Begin -->
+## BootToCloudPCEnhanced
+
+<!-- Device-BootToCloudPCEnhanced-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-BootToCloudPCEnhanced-Applicability-End -->
+
+<!-- Device-BootToCloudPCEnhanced-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/CloudDesktop/BootToCloudPCEnhanced
+```
+<!-- Device-BootToCloudPCEnhanced-OmaUri-End -->
+
+<!-- Device-BootToCloudPCEnhanced-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
+<!-- Device-BootToCloudPCEnhanced-Description-End -->
+
+<!-- Device-BootToCloudPCEnhanced-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!IMPORTANT]
+> If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
+<!-- Device-BootToCloudPCEnhanced-Editable-End -->
+
+<!-- Device-BootToCloudPCEnhanced-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-BootToCloudPCEnhanced-DFProperties-End -->
+
+<!-- Device-BootToCloudPCEnhanced-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not Configured. |
+| 1 | Enable Boot to Cloud Shared PC Mode. |
+| 2 | Enable Boot to Cloud Personal Mode (Cloud only). |
+<!-- Device-BootToCloudPCEnhanced-AllowedValues-End -->
+
+<!-- Device-BootToCloudPCEnhanced-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-BootToCloudPCEnhanced-Examples-End -->
+
+<!-- Device-BootToCloudPCEnhanced-End -->
+
 <!-- Device-EnableBootToCloudSharedPCMode-Begin -->
 ## EnableBootToCloudSharedPCMode
 
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
 <!-- Device-EnableBootToCloudSharedPCMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-EnableBootToCloudSharedPCMode-Applicability-End -->
 
 <!-- Device-EnableBootToCloudSharedPCMode-OmaUri-Begin -->
@@ -51,6 +107,8 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
 
 <!-- Device-EnableBootToCloudSharedPCMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!IMPORTANT]
+> If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
 <!-- Device-EnableBootToCloudSharedPCMode-Editable-End -->
 
 <!-- Device-EnableBootToCloudSharedPCMode-DFProperties-Begin -->
@@ -80,66 +138,86 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
 
 <!-- CloudDesktop-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
-## EnableBootToCloudSharedPCMode technical reference
+## BootToCloudPCEnhanced technical reference
 
-EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
+BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or personal mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements.
 
 > [!NOTE]
-> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
+> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and personal mode.
 
-### MDM Policies
+### Boot to Cloud Shared PC Mode
 
-When this mode is enabled, these MDM policies are applied for the Device scope (all users):
+When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1:
 
-| Setting                                                                                                                    | Value   | Value Description                                           |
-|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
-| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode)                                                 | 1       | Enable Boot to Cloud Desktop                                |
-| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram)                                       | 1       | Apply Lightweight Shell                                     |
-| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider)     | Enabled | Configures default credential provider to password provider |
-| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2)                               | Enabled | Don't process the computer legacy run list                  |
-| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1       | When no keyboard is attached                                |
+- Following MDM policies are applied for the Device scope (all users):
 
-### Group Policies
+    | Setting                                                                                                                    | Value   | Value Description                                           |
+    |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
+    | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode)                                                 | 1       | Enable Boot to Cloud Desktop                                |
+    | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram)                                       | 1       | Apply Lightweight Shell                                     |
+    | [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider)     | Enabled | Configures default credential provider to password provider |
+    | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2)                               | Enabled | Don't process the computer legacy run list                  |
+    | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1       | When no keyboard is attached                                |
 
-When this mode is enabled, these local group policies are configured for all users:
+- Following local group policies are configured for all users:
 
-| Policy setting                                                                                                         | Status                                |
-|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
-| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
-| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in                      | Enabled                               |
-| Control Panel/Personalization/Prevent enabling lock screen slide show                                                  | Enabled                               |
-| System/Logon/Block user from showing account details on sign-in                                                        | Enabled                               |
-| System/Logon/Enumerate local users on domain-joined computers                                                          | Disabled                              |
-| System/Logon/Hide entry points for Fast User Switching                                                                 | Enabled                               |
-| System/Logon/Show first sign-in animation                                                                              | Disabled                              |
-| System/Logon/Turn off app notifications on the lock screen                                                             | Enabled                               |
-| System/Logon/Turn off picture password sign-in                                                                         | Enabled                               |
-| System/Logon/Turn on convenience PIN sign-in                                                                           | Disabled                              |
-| Windows Components/App Package Deployment/Allow a Windows app to share application data between users                  | Enabled                               |
-| Windows Components/Biometrics/Allow the use of biometrics                                                              | Disabled                              |
-| Windows Components/Biometrics/Allow users to log on using biometrics                                                   | Disabled                              |
-| Windows Components/Biometrics/Allow domain users to log on using biometrics                                            | Disabled                              |
-| Windows Components/File Explorer/Show lock in the user tile menu                                                       | Disabled                              |
-| Windows Components/File History/Turn off File History                                                                  | Enabled                               |
-| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage                                             | Enabled                               |
-| Windows Components/Windows Hello for Business/Use biometrics                                                           | Disabled                              |
-| Windows Components/Windows Hello for Business/Use Windows Hello for Business                                           | Disabled                              |
-| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart          | Disabled                              |
-| Windows Components/Microsoft Passport for Work                                                                         | Disabled                              |
-| System/Ctrl+Alt+Del Options/Remove Task Manager                                                                        | Enabled                               |
-| System/Ctrl+Alt+Del Options/Remove Change Password                                                                     | Enabled                               |
-| Start Menu and Taskbar/Notifications/Turn off toast notifications                                                      | Enabled                               |
-| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center                                            | Enabled                               |
-| System/Logon/Do not process the legacy run list                                                                        | Enabled                               |
+    | Policy setting                                                                                                         | Status                                |
+    |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+    | Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
+    | Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in                      | Enabled                               |
+    | Control Panel/Personalization/Prevent enabling lock screen slide show                                                  | Enabled                               |
+    | System/Logon/Block user from showing account details on sign-in                                                        | Enabled                               |
+    | System/Logon/Enumerate local users on domain-joined computers                                                          | Disabled                              |
+    | System/Logon/Hide entry points for Fast User Switching                                                                 | Enabled                               |
+    | System/Logon/Show first sign-in animation                                                                              | Disabled                              |
+    | System/Logon/Turn off app notifications on the lock screen                                                             | Enabled                               |
+    | System/Logon/Turn off picture password sign-in                                                                         | Enabled                               |
+    | System/Logon/Turn on convenience PIN sign-in                                                                           | Disabled                              |
+    | Windows Components/App Package Deployment/Allow a Windows app to share application data between users                  | Enabled                               |
+    | Windows Components/Biometrics/Allow the use of biometrics                                                              | Disabled                              |
+    | Windows Components/Biometrics/Allow users to log on using biometrics                                                   | Disabled                              |
+    | Windows Components/Biometrics/Allow domain users to log on using biometrics                                            | Disabled                              |
+    | Windows Components/File Explorer/Show lock in the user tile menu                                                       | Disabled                              |
+    | Windows Components/File History/Turn off File History                                                                  | Enabled                               |
+    | Windows Components/OneDrive/Prevent the usage of OneDrive for file storage                                             | Enabled                               |
+    | Windows Components/Windows Hello for Business/Use biometrics                                                           | Disabled                              |
+    | Windows Components/Windows Hello for Business/Use Windows Hello for Business                                           | Disabled                              |
+    | Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart          | Disabled                              |
+    | Windows Components/Microsoft Passport for Work                                                                         | Disabled                              |
+    | System/Ctrl+Alt+Del Options/Remove Task Manager                                                                        | Enabled                               |
+    | System/Ctrl+Alt+Del Options/Remove Change Password                                                                     | Enabled                               |
+    | Start Menu and Taskbar/Notifications/Turn off toast notifications                                                      | Enabled                               |
+    | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center                                            | Enabled                               |
+    | System/Logon/Do not process the legacy run list                                                                        | Enabled                               |
 
-### Registry
+- Following registry changes are performed:
 
-When this mode is enabled, these registry changes are performed:
+    | Registry setting                                                                             | Status |
+    |----------------------------------------------------------------------------------------------|--------|
+    | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0      |
+    | Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work)        | 0      |
 
-| Registry setting                                                                             | Status |
-|----------------------------------------------------------------------------------------------|--------|
-| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0      |
-| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work)        | 0      |
+### Boot to Cloud Personal Mode
+
+When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2:
+
+- Following MDM policies are applied for the Device scope (all users):
+
+    | Setting                                                                                                                    | Value   | Value Description                                           |
+    |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
+    | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode)                                                 | 1       | Enable Boot to Cloud Desktop                                |
+    | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram)                                       | 1       | Apply Lightweight Shell                                     |
+    | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2)                               | Enabled | Don't process the computer legacy run list                  |
+    | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1       | When no keyboard is attached                                |
+
+- Following local group policies are configured for all users:
+
+    | Policy setting                                                                                                         | Status                                |
+    |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+    | System/Ctrl+Alt+Del Options/Remove Change Password                                                                     | Enabled                               |
+    | Start Menu and Taskbar/Notifications/Turn off toast notifications                                                      | Enabled                               |
+    | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center                                            | Enabled                               |
+    | System/Logon/Do not process the legacy run list                                                                        | Enabled                               |
 <!-- CloudDesktop-CspMoreInfo-End -->
 
 <!-- CloudDesktop-End -->
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index 8128e3e6e5..daaccf8c6c 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -45,11 +45,55 @@ The following XML file contains the device description framework (DDF) for the C
         <MIME />
       </DFType>
       <MSFT:Applicability>
-        <MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
-        <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
+        <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>9.9</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
+    <Node>
+      <NodeName>BootToCloudPCEnhanced</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <DefaultValue>0</DefaultValue>
+        <Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFTitle>Boot to Cloud PC Enhanced</DFTitle>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>9.9</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>0</MSFT:Value>
+            <MSFT:ValueDescription>Not Configured</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>Enable Boot to Cloud Shared PC Mode</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>2</MSFT:Value>
+            <MSFT:ValueDescription>Enable Boot to Cloud Personal Mode (Cloud only)</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
     <Node>
       <NodeName>EnableBootToCloudSharedPCMode</NodeName>
       <DFProperties>
@@ -74,6 +118,9 @@ The following XML file contains the device description framework (DDF) for the C
         <DFType>
           <MIME />
         </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>88.8.88888</MSFT:OsBuildVersion>
+        </MSFT:Applicability>
         <MSFT:AllowedValues ValueType="ENUM">
           <MSFT:Enum>
             <MSFT:Value>false</MSFT:Value>
@@ -84,6 +131,7 @@ The following XML file contains the device description framework (DDF) for the C
             <MSFT:ValueDescription>Boot to cloud shared pc mode enabled</MSFT:ValueDescription>
           </MSFT:Enum>
         </MSFT:AllowedValues>
+        <MSFT:Deprecated />
       </DFProperties>
     </Node>
   </Node>
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 5e4eb9b6d2..6625fb8a84 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Personalization CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/26/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -16,24 +16,147 @@ ms.topic: reference
 <!-- Personalization-Begin -->
 # Personalization CSP
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- Personalization-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
+The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
 
 > [!IMPORTANT]
-> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
+> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#boottocloudpcenhanced).
 <!-- Personalization-Editable-End -->
 
 <!-- Personalization-Tree-Begin -->
 The following list shows the Personalization configuration service provider nodes:
 
 - ./Vendor/MSFT/Personalization
+  - [CompanyLogoStatus](#companylogostatus)
+  - [CompanyLogoUrl](#companylogourl)
+  - [CompanyName](#companyname)
   - [DesktopImageStatus](#desktopimagestatus)
   - [DesktopImageUrl](#desktopimageurl)
   - [LockScreenImageStatus](#lockscreenimagestatus)
   - [LockScreenImageUrl](#lockscreenimageurl)
 <!-- Personalization-Tree-End -->
 
+<!-- Device-CompanyLogoStatus-Begin -->
+## CompanyLogoStatus
+
+<!-- Device-CompanyLogoStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-CompanyLogoStatus-Applicability-End -->
+
+<!-- Device-CompanyLogoStatus-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/Personalization/CompanyLogoStatus
+```
+<!-- Device-CompanyLogoStatus-OmaUri-End -->
+
+<!-- Device-CompanyLogoStatus-Description-Begin -->
+<!-- Description-Source-DDF -->
+This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
+<!-- Device-CompanyLogoStatus-Description-End -->
+
+<!-- Device-CompanyLogoStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-CompanyLogoStatus-Editable-End -->
+
+<!-- Device-CompanyLogoStatus-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+<!-- Device-CompanyLogoStatus-DFProperties-End -->
+
+<!-- Device-CompanyLogoStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-CompanyLogoStatus-Examples-End -->
+
+<!-- Device-CompanyLogoStatus-End -->
+
+<!-- Device-CompanyLogoUrl-Begin -->
+## CompanyLogoUrl
+
+<!-- Device-CompanyLogoUrl-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-CompanyLogoUrl-Applicability-End -->
+
+<!-- Device-CompanyLogoUrl-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/Personalization/CompanyLogoUrl
+```
+<!-- Device-CompanyLogoUrl-OmaUri-End -->
+
+<!-- Device-CompanyLogoUrl-Description-Begin -->
+<!-- Description-Source-DDF -->
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
+<!-- Device-CompanyLogoUrl-Description-End -->
+
+<!-- Device-CompanyLogoUrl-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-CompanyLogoUrl-Editable-End -->
+
+<!-- Device-CompanyLogoUrl-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-CompanyLogoUrl-DFProperties-End -->
+
+<!-- Device-CompanyLogoUrl-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-CompanyLogoUrl-Examples-End -->
+
+<!-- Device-CompanyLogoUrl-End -->
+
+<!-- Device-CompanyName-Begin -->
+## CompanyName
+
+<!-- Device-CompanyName-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- Device-CompanyName-Applicability-End -->
+
+<!-- Device-CompanyName-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/Personalization/CompanyName
+```
+<!-- Device-CompanyName-OmaUri-End -->
+
+<!-- Device-CompanyName-Description-Begin -->
+<!-- Description-Source-DDF -->
+The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
+<!-- Device-CompanyName-Description-End -->
+
+<!-- Device-CompanyName-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-CompanyName-Editable-End -->
+
+<!-- Device-CompanyName-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^.{1,30}$` |
+<!-- Device-CompanyName-DFProperties-End -->
+
+<!-- Device-CompanyName-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-CompanyName-Examples-End -->
+
+<!-- Device-CompanyName-End -->
+
 <!-- Device-DesktopImageStatus-Begin -->
 ## DesktopImageStatus
 
@@ -90,7 +213,7 @@ This represents the status of the DesktopImage. 1 - Successfully downloaded or c
 
 <!-- Device-DesktopImageUrl-Description-Begin -->
 <!-- Description-Source-DDF -->
-A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
 <!-- Device-DesktopImageUrl-Description-End -->
 
 <!-- Device-DesktopImageUrl-Editable-Begin -->
@@ -168,7 +291,7 @@ This represents the status of the LockScreenImage. 1 - Successfully downloaded o
 
 <!-- Device-LockScreenImageUrl-Description-Begin -->
 <!-- Description-Source-DDF -->
-A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
 <!-- Device-LockScreenImageUrl-Description-End -->
 
 <!-- Device-LockScreenImageUrl-Editable-Begin -->
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index a57ddb1e63..d9f8bf627c 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/25/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the P
       <MSFT:Applicability>
         <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
         <MSFT:CspVersion>1.0</MSFT:CspVersion>
-        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
       </MSFT:Applicability>
     </DFProperties>
     <Node>
@@ -146,6 +146,92 @@ The following XML file contains the device description framework (DDF) for the P
         </DFType>
       </DFProperties>
     </Node>
+    <Node>
+      <NodeName>CompanyLogoUrl</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>2.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="None">
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>CompanyLogoStatus</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.</Description>
+        <DFFormat>
+          <int />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>2.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>CompanyName</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Add />
+          <Delete />
+          <Get />
+          <Replace />
+        </AccessType>
+        <Description>The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>2.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:AllowedValues ValueType="RegEx">
+          <MSFT:Value>^.{1,30}$</MSFT:Value>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
   </Node>
 </MgmtTree>
 ```
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 6a83bab027..9352455d20 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -11,22 +11,22 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 12/31/2017
+ms.date: 10/31/2023
 ---
 
 # Evaluate infrastructure and tools
 
-Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
+Before you deploy an update, assess your deployment infrastructure. For example, management systems like Configuration Manager, Microsoft Intune, or similar. Also assess current configurations such as security baselines, administrative templates, and policies that affect updates. Then set some criteria to define your operational readiness.
 
 ## Infrastructure
 
 Do your deployment tools need updates?
 
-- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the current branch with the latest release installed? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
 - Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
 - If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
 
-Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
+Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered.
 
 ## Device settings
 
@@ -36,35 +36,35 @@ Make sure your security baseline, administrative templates, and policies have th
 
 Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
 
-- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. 
-- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
+- **Microsoft security baselines**: You should implement security baselines from Microsoft. They're included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
+- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you're about to deploy.
 
 ### Configuration updates
 
-There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
+There are several Windows policies that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. For example, policies set by group policy, Intune, or other methods. Check these policies to make sure they're set appropriately.
 
-- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
-- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. 
+- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667).
 
+- **Policies for update compliance and end-user experience**: Several settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
 
 ## Define operational readiness criteria
 
-When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
+When you deploy an update, you need to make sure the update isn't introducing new operational issues. If incidents arise, make sure the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
 
 - **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
 - **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
 - **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
-- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
+- **Process changes:** Define and update any processes that will change as a result of the Windows feature update.
 
-Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight. 
+Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
 
 ## Tasks
 
 Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks:
 
-- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined.
-- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update.
+- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they've all been defined.
+- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that you identified for the update.
 - **Define infrastructure update plan**: Detail how your infrastructure must change to support the update.
-- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed.
-- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
+- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when you deploy it.
+- **Identify gaps that require attention**: Identify issues that you'll need to address to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
 - **Define operational update plan**: Detail how your operational services and processes must change to support the update.
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 83dda7c0fe..7c0031c1e0 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -15,19 +15,19 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 09/26/2023
+  ms.date: 10/31/2023
 
 highlightedContent:
   items:
   - title: Get started with Windows 11
     itemType: get-started
     url: /windows/whats-new/windows-11-overview
-  - title: Windows 11, version 22H2
+  - title: Windows 11, version 23H2
     itemType: whats-new
-    url: /windows/whats-new/whats-new-windows-11-version-22H2
-  - title: Windows 11, version 22H2 group policy settings reference 
+    url: /windows/whats-new/whats-new-windows-11-version-23h2
+  - title: Windows 11, version 23H2 group policy settings reference
     itemType: download
-    url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
+    url: https://www.microsoft.com/download/details.aspx?id=105668
   - title: Windows release health
     itemType: whats-new
     url: /windows/release-health
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
index 25675c2123..1e17d437e3 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -3,66 +3,69 @@ title: Get support for security baselines
 description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 07/11/2023
+ms.date: 10/31/2023
 ---
 
 # Get Support
 
-**What is the Microsoft Security Compliance Manager (SCM)?**
+## Frequently asked questions
+
+### What is the Microsoft Security Compliance Manager (SCM)?
 
 The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO Backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
 
 More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
 
-**Where can I get an older version of a Windows baseline?**
+### Where can I get an older version of a Windows baseline?
 
-Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
 
 - [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
 - [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
 - [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
 - [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
 
-**What file formats are supported by the new SCT?**
+### What file formats are supported by the new SCT?
 
-The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported.
+The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
 
-**Does SCT support Desired State Configuration (DSC) file format?**
+### Does SCT support Desired State Configuration (DSC) file format?
 
 No. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration.
 
-**Does SCT support the creation of Microsoft Configuration Manager DCM packs?**
+### Does SCT support the creation of Microsoft Configuration Manager DCM packs?
 
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). For a tool that supports conversion of GPO Backups to DSC format, see [BaselineManagement](https://github.com/Microsoft/BaselineManagement).
 
-**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?
 
 No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit likewise doesn't include SCAP support.
 
-## Version Matrix
+## Version matrix
 
-**Client Versions**:
+### Client versions
 
-| Name | Build | Baseline Release Date | Security Tools |
+| Name | Build | Baseline release date | Security tools |
 |--|--|--|--|
+| Windows 11 | [23H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618) <br> | October 2023<br> | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) <br> | September 2022<br> | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 | Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) <br> [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update) | October 2022<br>December 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 
-**Server Versions**:
+### Server versions
 
-| Name                   | Build                                                                                                                                                       | Baseline Release Date | Security Tools                                                      |
-|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|---------------------------------------------------------------------|
-| Windows Server 2022    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685)                          | September 2021        | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2019    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018         | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2016    | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)                                      | October 2016          | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)                                      | August 2014           | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Name | Build | Baseline Release Date | Security Tools |
+|--|--|--|--|
+| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 
-**Microsoft Products**:
+### Microsoft products
 
-| Name                                            | Details                                                                                                                                                    | Security Tools                                                      |
-|-------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
+| Name | Details | Security Tools |
+|--|--|--|
 | Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Microsoft Edge, version 107                     | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443)                      | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 
 ## Related articles
 
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index b145f9c722..0376d87c85 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,12 +1,12 @@
 ---
 title: Microsoft Security Compliance Toolkit Guide
-description: This article describes how to use Security Compliance Toolkit in your organization
+description: This article describes how to use Security Compliance Toolkit in your organization.
 ms.localizationpriority: medium
 ms.collection:
   - highpri
   - tier3
 ms.topic: conceptual
-ms.date: 07/11/2023
+ms.date: 10/31/2023
 ---
 
 # Microsoft Security Compliance Toolkit - How to use
@@ -20,6 +20,7 @@ The SCT enables administrators to effectively manage their enterprise's Group Po
 The Security Compliance Toolkit consists of:
 
 - Windows 11 security baseline
+  - Windows 11, version 23H2
   - Windows 11, version 22H2
   - Windows 11, version 21H2
 - Windows 10 security baselines
@@ -38,7 +39,7 @@ The Security Compliance Toolkit consists of:
   - Office 2016
   - Microsoft 365 Apps for Enterprise Version 2206
 - Microsoft Edge security baseline
-  - Edge version 114
+  - Microsoft Edge version 114
 - Tools
   - Policy Analyzer
   - Local Group Policy Object (LGPO)
@@ -68,12 +69,12 @@ Documentation for the LGPO tool can be found on the [Microsoft Security Guidance
 
 ## What is the Set Object Security tool?
 
-`SetObjectSecurity.exe` enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg file compatible representation of the security descriptor for a REG_BINARY registry value.
+`SetObjectSecurity.exe` enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a `.reg` file compatible representation of the security descriptor for a REG_BINARY registry value.
 
 Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 
 ## What is the GPO to Policy Rules tool?
 
-Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+Automate the conversion of GPO backups to Policy Analyzer `.PolicyRules` files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
 
 Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2bd556b46f..c9468c7091 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -12,7 +12,9 @@
     - name: Prepare for Windows 11
       href: windows-11-prepare.md
     - name: Windows 11 enterprise feature control
-      href: temporary-enterprise-feature-control.md      
+      href: temporary-enterprise-feature-control.md
+    - name: What's new in Windows 11, version 23H2
+      href: whats-new-windows-11-version-23h2.md
     - name: What's new in Windows 11, version 22H2
       href: whats-new-windows-11-version-22h2.md
 - name: Windows 10
@@ -36,6 +38,6 @@
     - name: Deprecated Windows features
       href: deprecated-features.md
     - name: Resources for deprecated features
-      href: deprecated-features-resources.md       
+      href: deprecated-features-resources.md
     - name: Removed Windows features
       href: removed-features.md
\ No newline at end of file
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 193ffc24a8..88f1b323b1 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -15,12 +15,12 @@ metadata:
   author: aczechowski
   ms.author: aaroncz
   manager: aaroncz
-  ms.date: 11/14/2022
+  ms.date: 10/31/2023
   localization_priority: medium
 
 landingContent:
 
-  - title: Windows 11
+  - title: Windows 11 planning
     linkLists:
       - linkListType: overview
         links:
@@ -35,9 +35,18 @@ landingContent:
           - text: Windows commercial licensing overview
             url: windows-licensing.md
 
+  - title: Windows 11
+    linkLists:
+      - linkListType: whats-new
+        links:
+          - text: What's new in Windows 11, version 23H2
+            url: whats-new-windows-11-version-23h2.md
+          - text: What's new in Windows 11, version 22H2
+            url: whats-new-windows-11-version-22h2.md
+
   - title: Windows 10
     linkLists:
-      - linkListType: overview
+      - linkListType: whats-new
         links:
           - text: What's new in Windows 10, version 22H2
             url: whats-new-windows-10-version-22h2.md
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
new file mode 100644
index 0000000000..cb43e39852
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -0,0 +1,125 @@
+---
+title: What's new in Windows 11, version 23H2 for IT pros
+description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+manager: aaroncz
+ms.prod: windows-client
+ms.author: mstewart
+author: mestew
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.collection:
+  - highpri
+  - tier2
+ms.technology: itpro-fundamentals
+ms.date: 10/31/2023
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 23H2</a>
+---
+
+# What's new in Windows 11, version 23H2
+<!--6681501-->
+Windows 11, version 23H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 22H2. This article lists the new and updated features IT Pros should know.
+
+Windows 11, version 23H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
+
+- **Windows 11 Pro**: Serviced for 24 months from the release date.
+- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
+
+Devices updating from Windows 11, version 22H2 use an enablement package. Most the files for the 23H2 update already exist on Windows 11, version 22H2 devices that have installed a recent monthly security update. Many of the new features have already been enabled on Windows 11, version 22H2 clients. However, some features are just in an inactive and dormant state because they are under [temporary enterprise feature control](temporary-enterprise-feature-control.md). These new features remain dormant until they're turned on through the enablement package, a small, quick-to-install switch that activates all of the Windows 11, version 23H2 features.
+
+Windows 11, version 23H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 23H2 update](https://blogs.windows.com/windowsexperience/?p=178531). Review the [Windows 11, version 23H2 Windows IT Pro blog post](https://aka.ms/new-in-23H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
+
+
+To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Features no longer under temporary enterprise control
+
+[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+When a manged Windows 11, version 22H2 device installs version 23H2, the following features will no longer under be under temporary enterprise feature control:
+
+| Feature | KB article where the feature was introduced | 
+|---|---|
+| Touch-optimized taskbar for 2-in-1 devices <!--8092554, WIP.25197--> | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913)  | 
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** <!--8092554, WIP.25300-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  | 
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.<!--8092554, WIP.23511 & WIP.25281, AllowWindowsSpotlight-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  |
+| Copilot in Windows <!--8092554, WIP.23493 -->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  |
+| [Dev Home](/windows/dev-home/) <!--8092554, WIP.23506-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  |
+| [Dev Drive](/windows/dev-drive/) <!--8092554, WIP.23466-->| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)  | 
+
+## Features added to Windows 11 since version 22H2
+
+Starting with Windows 11, version 22H2, new features and enhancements were introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an optional nonsecurity preview release and gradually rolled out to clients. These new features are released later as part of a monthly security update release. For more information about continuous innovation, see [Update release cycle for Windows clients](/windows/deployment/update/release-cycle#continuous-innovation-for-windows-11) Some of the features were released within the past year's continuous innovation updates and carry forward into the 23H2 annual feature update include:
+
+
+### Passkeys in Windows
+<!--8138341-->
+Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys).
+
+### Windows passwordless experience
+<!--8138336-->
+Windows passwordless experience is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/).
+
+### Web sign-in for Windows
+<!--8344016-->
+You can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in).
+
+### Declared configuration protocol
+<!--7771694 --> 
+**Declared configuration protocol** is a new protocol for device configuration management that's based on a desired state model and uses OMA-DM SyncML protocol. It allows the server to provide the device with a collection of settings for a specific scenario, and the device to handle the configuration request and maintain its state. For more information, see [What is the declared configuration protocol](/windows/client-management/declared-configuration).
+
+### Education themes
+<!--7771679-->
+You can deploy education themes to your devices. The education themes are designed for students using devices in a school. For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
+
+### Temporary enterprise feature control
+<!--7790977-->
+Controls were added to temporarily turn off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For more information, see [Temporary enterprise feature control](temporary-enterprise-feature-control.md).
+
+### Multi-app kiosk
+<!--6444738-->
+
+You can configure a multi-app kiosk, which displays a customized start menu of allowed apps. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps).
+
+### Copilot in Windows
+<!--8138371-->
+Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. For more information, see [Manage Copilot in Windows](/windows/client-management/manage-windows-copilot).
+
+### Windows Hello for Business authentication improvement
+<!--7771685-->
+Peripheral face and fingerprint sensors can be used for Windows Hello for Business authentication on devices where Enhanced Sign-in Security (Secure Biometrics) has been enabled at the factory. Previously this functionality was blocked. For more information, see [Common questions about Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-faq).
+
+### LAPS native integration
+<!--6399966-->
+Use Windows Local Administrator Password Solution (LAPS) to regularly rotate and manage local administrator account passwords. For more information, see [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview)
+
+### Federated sign-in
+<!--7593916, 7593946-->
+You can sign into Windows using a federated identity, which simplifies the experience for students. For example, students and educators can use QR code badges to sign-in. This feature is designed specifically for Education editions of Windows. For more information, see [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in).
+
+### Customize Windows 11 taskbar buttons
+<!--07525381-->
+[Policies to customize Windows 11 taskbar buttons](/windows/configuration/supported-csp-taskbar-windows#csp-policies-to-customize-windows-11-taskbar-buttons) were added to provide you with more control over the taskbar search experience across your organization.
+
+### Braille displays
+<!--7579823-->
+The compatibility of braille displays was expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros).
+
+### Dev Drive
+
+Dev Drive is a new form of storage volume available to improve performance for key developer workloads. For more information, see [Set up a Dev Drive on Windows 11](/windows/dev-drive/).
+
+### Additional features
+<!--kb5019509 items and notable items for IT pros from other updates-->
+
+- **Tabs for File Explorer**: File Explorer includes tabs to help you organize your File Explorer sessions. 
+- **Taskbar overflow menu**: The taskbar offers an entry point to a menu that shows all of your overflowed apps in one spot.
+- **Suggested actions**: Copied text in certain formats, such as phone numbers or dates, offer suggested actions such as calling the number or adding the event to your calendar.
+- **Task Manager enhancements**: Process filtering, theme settings, and the ability to opt out of efficiency mode notification were added to Task Manager.
+- **Narrator improvements**: Scripting functionality was added to Narrator. Narrator includes more natural voices. <!--8138352, 8138357--> 
+
+### In-box apps
+
+- **Microsoft Teams**: Chat is being removed from the Microsoft Teams in-box app. Teams will no longer be pinned to the taskbar for enterprise editions of Windows 11, version 23H2 or later. To identify the appx package: `Get-AppxPackage -Name MicrosoftTeams` <!--8349096-->
+- **Dev Home**: Dev Home is a new app that provides a central location for developers to start building, testing, and deploying Windows apps. For more information, see [Dev Home](/windows/dev-home/). To identify the appx package: `Get-AppxPackage -Name Microsoft.Windows.DevHome`