Merge branch 'main' into delete-cortana-content-ADO-8098899

2025-06-19 12:23:37 +00:00 · 2023-11-13 07:49:09 -08:00
parent 16aa2cec15 61f8631ab0
commit fbc012fd18
62 changed files with 882 additions and 941 deletions
--- a/.openpublishing.redirection.education.json
+++ b/.openpublishing.redirection.education.json
@ -159,6 +159,21 @@
      "source_path": "education/windows/windows-automatic-redeployment.md",
      "redirect_url": "/education/windows/autopilot-reset",
      "redirect_document_id": false
    },
    {
      "source_path": "education/windows/tutorial-school-deployment/enroll-aadj.md",
      "redirect_url": "/education/windows/tutorial-school-deployment/enroll-entra-join",
      "redirect_document_id": false
    },
    {
      "source_path": "education/windows/tutorial-school-deployment/set-up-azure-ad.md",
      "redirect_url": "/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id",
      "redirect_document_id": false
    },
    {
      "source_path": "education/windows/set-up-school-pcs-whats-new.md",
      "redirect_url": "/education/windows",
      "redirect_document_id": false
    }
  ]
 }
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -2,20 +2,13 @@
-
+
 ## Week of November 06, 2023
 | Published On |Topic title | Change |
-|------|------------|--------|
+|------|------------|--------|
-| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
+| 11/7/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
-| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
+| 11/9/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
-
+| 11/9/2023 | What's new in the Windows Set up School PCs app | removed |
-
+| 11/9/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
 ## Week of September 04, 2023
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
 | 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified |
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@ -1,21 +1,17 @@
 ---
 title: Configure Stickers for Windows 11 SE
 description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
-ms.date: 09/15/2022
+ms.date: 11/09/2023
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:
  - highpri
  - education
  - tier2
 ---
 # Configure Stickers for Windows 11 SE
-Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
+Starting in **Windows 11 SE, version 22H2**, *Stickers* is a feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
-Similar to the [education theme packs](edu-themes.md "my tooltip example that opens in a new tab"), Stickers is a personalization feature that helps the device feel like it was designed for students.
+Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
 :::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
@ -35,9 +31,9 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
 [!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
-| Setting |
+   | Setting |
-|--------|
+   |--------|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
+   | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
 [!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
--- a/education/windows/edu-take-a-test-kiosk-mode.md
+++ b/education/windows/edu-take-a-test-kiosk-mode.md
@ -1,7 +1,7 @@
 ---
 title: Configure Take a Test in kiosk mode
 description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
-ms.date: 09/30/2022
+ms.date: 11/08/2023
 ms.topic: how-to
 ---
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@ -1,97 +0,0 @@
 ---
 title: What's new in the Windows Set up School PCs app
 description: Find out about app updates and new features in Set up School PCs.
 ms.topic: whats-new
 ms.date: 08/10/2022
 ---  
 # What's new in Set up School PCs
 Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
 ## Week of August 24, 2020
 ### Longer device names supported in app
 You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long.  
 ## Week of September 23, 2019  
 ### Easier way to deploy Office 365 to your classroom devices 
 Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
 ## Week of June 24, 2019  
 ### Resumed support for Windows 10, version 1903 and later   
 The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app. 
 ### Device rename made optional for Azure AD-joined devices  
 When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names.  
 ## Week of May 23, 2019   
 ### Suspended support for Windows 10, version 1903 and later
 Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again.  
 ### Mandatory device rename for Azure AD-joined devices
 If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names.    
 ## Week of April 15, 2019  
 ### Support for Minecraft Education Edition upgrade
 Set up School PCs only adds apps to the provisioning package that meet the minimum supported version for Windows 10. For example, Minecraft is the most recent store app to upgrade; it's only installed on devices running Windows 10, version 1709 and later. If you select an earlier version of Windows, Minecraft won't be included in the provisioning package.  
 ## Week of April 8, 2019  
 ### Apps configured as non-removeable  
 Apps that you deploy with Set up School PCs are configured as non-removable apps. This feature prevents students from unpinning or uninstalling the apps they need.  
 ### Domain name automatically added during sign-in  
 Specify your preferred Azure Active Directory tenant domain name to automatically append it to the username on the sign-in screen. With this setting, students don't need to type out long school domain names. To sign in, they type only their unique usernames.  
 ### Set up devices with hidden Wi-Fi network
 Set up devices so that they connect to a hidden Wi-Fi network. To configure a hidden network, open the app. When you get to **Wireless network**, choose **Add a Wi-Fi network**. Enter in your Wi-Fi information and select **Hidden network**.  
 ## Week of December 31, 2018
 ### Add Microsoft Whiteboard to provisioning package  
 Microsoft Whiteboard is now a Microsoft-recommended app for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together; students can create and collaborate in real time in the classroom. Add the app to your provisioning package on the **Add apps** page. For more information, see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).  
 ## Week of November 5, 2018  
 ### Sync school app inventory from Microsoft Store
 During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).   
 ## Week of October 15, 2018
 The Set up School PCs app was updated with the following changes:
 ### Three new setup screens added to the app
 The following screens and functionality were added to the setup workflow. Select a screen name to view the relevant steps and screenshots in the Set Up School PCs docs.  
 * [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. Azure Active Directory generates the name. It appears as the filename, and as the token name in Azure AD in the Azure portal.  
 * [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key. 
 * [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices.
 ### Azure AD token expiration extended to 180 days
 Packages now expire 180 days from the date you create them.  
 ### Updated apps with more helpful, descriptive text 
 The **Skip** buttons in the app now communicate the intent of each action. An **Exit** button also appears on the last page of the app.  
 ### Option to keep existing device names
 The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the original or existing names of your student devices.   
 ### Skype and Messaging apps to be removed from student PCs by default
 The Skype and Messaging apps are part of a selection of apps that are, by default, removed from student devices.  
 ## Next steps    
 Learn how to create provisioning packages and set up devices in the app.
 * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
 * [Set up School PCs technical reference](set-up-school-pcs-technical.md)
 * [Set up Windows 10 devices for education](set-up-windows-10.md)
 When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@ -1,7 +1,7 @@
 ---
 title: Configure and secure devices with Microsoft Intune
 description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
@ -98,7 +98,7 @@ For more information, see [Security][INT-4].
 > - [<u>Attack surface reduction</u>][MEM-6]
 > - [<u>Account protection</u>][MEM-7]
-________________________________________________________
+---
 ## Next steps
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@ -1,7 +1,7 @@
 ---
 title: Configure devices with Microsoft Intune
 description: Learn how to configure policies and applications in preparation for device deployment.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
--- a/education/windows/tutorial-school-deployment/enroll-entra-join.md
+++ b/education/windows/tutorial-school-deployment/enroll-entra-join.md
@ -1,9 +1,10 @@
 ---
 title: Enrollment in Intune with standard out-of-box experience (OOBE)
 description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
 # Automatic Intune enrollment via Microsoft Entra join
 If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
@ -21,7 +22,8 @@ With this process, no advance preparation is needed:
 :::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-________________________________________________________
+---
 ## Next steps
 With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@ -1,7 +1,7 @@
 ---
 title: Device enrollment overview
 description: Learn about the different options to enroll Windows devices in Microsoft Intune
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: overview
 ---
@ -22,9 +22,9 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
 Select one of the following options to learn the next steps about the enrollment method you chose:
 > [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md)
+> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
 > - [Bulk enrollment with provisioning packages](enroll-package.md)
-> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
+> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
 <!-- Reference links in article -->
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@ -1,7 +1,7 @@
 ---
 title: Enrollment of Windows devices with provisioning packages
 description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
@ -49,7 +49,8 @@ All settings defined in the package and in Intune will be applied to the device,
 :::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
-________________________________________________________
+---
 ## Next steps
 With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@ -1,7 +1,7 @@
 ---
 title: Introduction to the tutorial deploy and manage Windows devices in a school
 description: Introduction to deployment and management of Windows devices in education environments.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
@ -60,13 +60,14 @@ In the remainder of this document, we'll discuss the key concepts and benefits o
 - **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
 - **Device reset:** Resetting managed devices with Intune for Education
-________________________________________________________
+---
 ## Next steps
 Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
 > [!div class="nextstepaction"]
-> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md)
+> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
 <!-- Reference links in article -->
--- a/education/windows/tutorial-school-deployment/manage-overview.md
+++ b/education/windows/tutorial-school-deployment/manage-overview.md
@ -1,7 +1,7 @@
 ---
 title: Manage devices with Microsoft Intune
 description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@ -1,7 +1,7 @@
 ---
 title: Management functionalities for Surface devices
 description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 appliesto: 
  - ✅ <b>Surface devices</b>
@ -9,7 +9,7 @@ appliesto:
 # Management functionalities for Surface devices
-Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
+Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
 ## Manage device firmware for Surface devices
@ -27,20 +27,18 @@ When Surface devices are enrolled in cloud management and users sign in for the
 To access and use the Surface Management Portal:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-2. Select **All services** > **Surface Management Portal**
+1. Select **All services** > **Surface Management Portal**
    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-3. To obtain insights for all your Surface devices, select **Monitor**
+1. To obtain insights for all your Surface devices, select **Monitor**
    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-4. To obtain details on each insights category, select **View report**
+1. To obtain details on each insights category, select **View report**
    - This dashboard displays diagnostic information that you can customize and export
-5. To obtain the device's warranty information, select **Device warranty and coverage**
+1. To obtain the device's warranty information, select **Device warranty and coverage**
-6. To review a list of support requests and their status, select **Support requests**
+1. To review a list of support requests and their status, select **Support requests**
 <!-- Reference links in article -->
 [INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
 [MEM-1]: /mem/autopilot/dfci-management
 [SURF-1]: /surface/surface-manage-dfci-guide
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@ -1,7 +1,7 @@
 ---
 title: Reset and wipe Windows devices
 description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
@ -104,6 +104,7 @@ Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be
 For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
 [MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
 [MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
@ -1,7 +1,7 @@
 ---
 title: Set up Microsoft Entra ID
 description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 appliesto:
 ---
@ -86,6 +86,7 @@ There are two options for adding users manually, either individually or in bulk:
    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
 For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
 ### Create groups
 Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
@ -143,7 +144,7 @@ To allow provisioning packages to complete the Microsoft Entra join process:
 1. Select Save
    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
-________________________________________________________
+---
 ## Next steps
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@ -1,7 +1,7 @@
 ---
 title: Set up device management
 description: Learn how to configure the Intune service and set up the environment for education.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 appliesto:
 ---
@ -74,7 +74,7 @@ To disable Windows Hello for Business at the tenant level:
 For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
-________________________________________________________
+---
 ## Next steps
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ b/education/windows/tutorial-school-deployment/toc.yml
@ -4,7 +4,7 @@ items:
  - name: 1. Prepare your tenant
    items:
      - name: Set up Microsoft Entra ID
-        href: set-up-azure-ad.md
+        href: set-up-microsoft-entra-id.md
      - name: Set up Microsoft Intune
        href: set-up-microsoft-intune.md
  - name: 2. Configure settings and applications
@ -20,7 +20,7 @@ items:
      - name: Overview
        href: enroll-overview.md
      - name: Enroll devices via Microsoft Entra join
-        href: enroll-aadj.md
+        href: enroll-entra-join.md
      - name: Enroll devices with provisioning packages
        href: enroll-package.md
      - name: Enroll devices with Windows Autopilot
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@ -1,7 +1,7 @@
 ---
 title: Troubleshoot Windows devices
 description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
 ms.topic: tutorial
 ---
@ -25,10 +25,9 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
 Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
+Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
 :
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
 - Select **Troubleshooting + support** > **Help and support**
    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
 - Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@ -2,87 +2,89 @@
 title: Use Set up School PCs app
 description: Learn how to use the Set up School PCs app and apply the provisioning package.
 ms.topic: how-to
-ms.date: 08/10/2022
+ms.date: 11/09/2023
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Use the Set up School PCs app  
-IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM.   
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune.
-Set up School PCs also:  
+With Set up School PCs you can:
 * Joins each student PC to your organization's Office 365 and Microsoft Entra tenant.  
 * Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.  
 * Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
 * Locks down the student PC to prevent activity that isn't beneficial to their education.  
-This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).  
+- Joins student devices to your organization's Microsoft Entra tenant
 - Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state
 - Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time
 - Lock down student devices to prevent activity that aren't beneficial to their education  
 This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).  
 ## Requirements
 Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
-* Office 365 and Microsoft Entra ID
+Before you begin, make sure that your devices and your school's network are configured with the following requirements:
 * [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)  
 * A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
 * Student PCs must either: 
    * Be within range of the Wi-Fi network that you configured in the app.
    * Have a wired Ethernet connection when you set them up.  
-### Configure USB drive for additional space  
+- Microsoft Entra ID and Microsoft 365 licenses
-USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS.  
+- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40)  
-1. Insert the USB drive into your computer.
+- A NTFS-formatted USB drive that is at least 1 GB
-2. Go to the **Start** > **This PC**.
+- Student devices must either:
-3. In the **Devices and drives** section, find your USB drive. Right-click to see its options.
+  - Be within range of the Wi-Fi network that you configured in the app
-4. Select **Format** from the list to bring up the **Format drive name** window.
+  - Have a wired Ethernet connection when you set them up  
 5. Set **File system** to **NTFS**.
 6. Click **Start** to format the drive.
 ### Prepare existing PC account for new setup
 Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data.
-If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state.
+Apply new packages to factory reset or new devices. If you apply it to a device that's already set up, you may lose the accounts and data.
-To begin, go to the **Settings** app on the appropriate PC.
+If a device is already set up, and you want to apply a new package, reset the device to a clean state. To reset a device, follow these steps:
 1. Click **Update & Security** > **Recovery**. 
 2. In the **Reset this PC** section, click **Get started**. 
 3. Click **Remove everything**.
-You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps: 
+1. Open the **Settings** app on target device
-1. Click **Troubleshoot** and then choose **Reset this PC**.
+1. Select **Update & Security** > **Recovery**
-2. Select **Remove everything**.
+1. In the **Reset this PC** section, select **Get started**
-3. If the option appears, select **Only the drive where Windows is installed**.  
+1. Select **Remove everything**
-4. Click **Just remove my files**.
+
-5. Click **Reset**.
+Alternatively, you can also select **Start** > **Power** icon. Hold down <kbd>Shift</kbd> while selecting **Restart** to load the Windows boot user experience:
 1. Select **Troubleshoot** > **Reset this PC**
 1. Select **Remove everything**
 1. If the option appears, select **Only the drive where Windows is installed**  
 1. Select **Just remove my files**
 1. Select **Reset**
 ## Recommendations
 This section offers recommendations to prepare you for the best possible setup experience.
 ### Run the same Windows 10 build on the admin device and the student PCs  
 We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
-### Student PCs should meet OS requirements for the app  
+### Run the same Windows build on the admin device and the student devices
 Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.  
-To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
+We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices.
 ### Student devices must meet OS requirements for the app  
 Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices.  
 To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**.
 ### Use app on a PC that is connected to your school's network  
 We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually.
- > [!NOTE]  
+We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually.
-  > Don't use the **Set up Schools PCs** app for PCs that must connect to:
+
- >* Enterprise networks that require the user to accept Terms of Use.
+>[!NOTE]  
- >* Open Wi-Fi networks that require the user to accept Terms of Use.
+>Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use.
 ### Run app on an open network or network that requires a basic password  
-Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
+
 Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
 We recommend that you:
 * Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.  
 * Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.    
-> > [!WARNING]
+- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses allow you to set up many devices simultaneously
-> > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.  
+- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses free up quickly so you can continue to set up devices without network issues.
 >[!WARNING]
 >Only use the provisioning package on devices that you want to configure and lock down for students. After you apply the provisioning package to a student device, the PC must be reset to remove the settings.
 ### Use an additional USB drive
 To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
 ### Limit changes to school-optimized settings  
@ -91,191 +93,172 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
 ## Create the provisioning package  
-The **Set up School PCs** app guides you through the configuration choices for the student PCs.  To begin, open the app on your PC and click **Get started**.   
+The **Set up School PCs** app guides you through the configuration choices for the student PCs.  To begin, open the app on your device and select **Get started**.
-   ![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)  
+![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)  
 ### Package name
 Type a unique name to help distinguish your school's provisioning packages. The name appears:  
-* On the local package folder  
+- On the local package folder
-* In your tenant's Microsoft Entra account in the Azure portal  
+- In your tenant's Microsoft Entra account in the Azure portal
-A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package.  
+A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package.  
  ![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png)  
-After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.  
+After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.  
 To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.  
 To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.  
 ### Sign in  
-1. Select how you want to sign in.  
+1. Select how you want to sign in
-    a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3.  
+    1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3  
-    b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).  
+    1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network)
-2. In the new window, select the account you want to use throughout setup.  
+1. In the new window, select the account you want to use throughout setup.  
    ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png)  
    To add an account not listed:  
-    a. Click **Work or school account** > **Continue**.  
+    1. Select **Work or school account** > **Continue**.  
-    b. Type in the account username and click **Next**.  
+    1. Type in the account username and select **Next**.  
-    c. Verify the user account and password, if prompted.  
+    1. Verify the user account and password, if prompted.  
-
+1. Select **Accept** to allow Set up School PCs to access your account throughout setup
-3. Click **Accept** to allow Set up School PCs to access your account throughout setup.
+1. When your account name appears on the page, select **Next**
 2. When your account name appears on the page, as shown in the image below, click **Next.**
      ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png)  
 ### Wireless network
 Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.  
-Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.**  
+Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.  
 Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next**  
 ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png)  
 ### Device names
 Create a short name to add as a prefix to each PC. This name will help you recognize and manage this specific group of devices in your mobile device manager. The name must be five (5) characters or less.  
-To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers.   
+Create a name to add as a prefix to each device. This name helps you recognize and manage this group of devices in Intune.
-To keep the default name for your devices, click **Continue with existing names**.
+To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names appear as *MATH4* followed by the device serial number.
 To keep the default name for your devices, select **Continue with existing names**.
  !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png)  
 ### Settings
-Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs.  
+
 Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs.
 ![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png)  
-Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10.  
+Setting selections vary based on the OS version you select.
 ![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png)  
 > [!NOTE]
 > The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot above, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, **Time zone** will become disabled.  
 The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
-|Setting  |1703|1709|1803|1809|What happens if I select it? |Note|
+| Setting | What happens if I select it? | Note |
-|---------|---------|---------|---------|---------|---------|---------|
+|--|--|--|
-|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
+| Remove apps preinstalled by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. |
-|Allow local storage (not recommended for shared devices)    |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be shared between different students.|
+| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device are shared between different students. |
-|Optimize device for a single student, instead of a shared cart or lab    |X|X|X|X|Optimizes the device for use by a single student, rather than many students.       |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device are shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
-|Let guests sign in to these PCs     |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
+| Let guests sign in to these PCs | Allows guests to use student PCs without a school account. | Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to. |
-|Enable Autopilot Reset  |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | WinRE must be enabled on the device. |
-|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|   
+| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. |
-After you've made your selections, click **Next**.
+After you've made your selections, select **Next**.
 ### Time zone  
 > [!WARNING]
 > If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error.
-Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**.  
+Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**.  
 ![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png)  
 ### Product key
-Optionally, type in a 25-digit product key to:
+
-* Upgrade your current edition of Windows. For example, if you want to upgrade from Windows 10 Education to Windows 10 Education Pro, enter the product key for the Pro edition.
+Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**.
 * Change the product key. If you want to associate student devices with a new or different Windows 10 product key, enter it now.  
 ![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png)  
 ### Take a Test
 Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.  
-1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.    
+Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student devices so that students can't access anything else on the device.
 1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' devices
    ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png)
-2. Select from the advanced settings. Available settings include:  
+1. Select from the advanced settings. Available settings include:  
-    * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard.  
+    - Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard
-    * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app.  
+    - Allow teachers to monitor online tests: Enables screen capture in the Take a Test app
-3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.  
+1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment
-4. Click **Next**. 
+1. Select **Next**
 ### Add apps  
 Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu.  
 If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later.  
 After you've made your selections, click **Next**.  
  ![Example screenshots of the Add apps screen with selection of recommended apps and school inventory apps.](images/suspcs/1812_Add_Apps_SUSPC.png)  
 The following table lists the recommended apps you'll see.  
 |App |Note |
 |---------|---------|
 |Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode.        |
 |Microsoft Whiteboard | None|
 |Minecraft: Education Edition | Free trial|
 ### Personalization
 Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.  
-If you don't want to upload custom images or use the images that appear in the app, click **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images.  
+Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.  
-   ![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)  
+If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images.  
 ![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)  
 ### Summary
 Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.
 1. To make changes now, click any page along the left side of the window.  
 2. When finished, click **Accept**.  
-      ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)  
+Review all of the settings for accuracy and completeness
 1. To make changes now, select any page along the left side of the window
 2. When finished, select **Accept**
 ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)  
 > [!NOTE]
 > To make changes to a saved package, you have to start over.
 ### Insert USB
-1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.  
+
-2. Choose your USB drive from the list and click **Save**.
+1. Insert a USB drive. The **Save** button lights up when your computer detects the USB
 1. Choose your USB drive from the list and select **Save**
    ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png)
-3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. 
+1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next**
-      ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)  
+![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)  
 ## Run package - Get PCs ready
 Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.  
-  ![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)  
+Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**.
 ![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)  
 ## Run package - Install package on PC
-The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device. 
+The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device.
-When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school.  
+When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school.  
 > [!IMPORTANT]
-> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).  
+> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).  
-1.  Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?** 
+1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**
    If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.  
    ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png)
-2. Insert the USB drive. Windows automatically recognizes and installs the package.  
+1. Insert the USB drive. Windows automatically recognizes and installs the package
    ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png)
-3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC.  
+
 1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one
     ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)  
-4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience.  If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required.  
+1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required
-      If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
+If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@ -42,6 +42,8 @@
      "uhfHeaderId": "MSDocsHeader-Windows",
      "ms.technology": "itpro-configure",
      "ms.topic": "article",
      "ms.prod": "windows-client",
      "manager": "aaroncz",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@ -12,15 +12,15 @@ ms.topic: how-to
 ms.collection:
 - highpri
 - tier2
-ms.date: 12/31/2017
+ms.date: 11/08/2023
 appliesto: 
  - ✅ <b>Windows 10 Pro</b>
  - ✅ <b>Windows 10 Enterprise</b>
  - ✅ <b>Windows 10 Education</b>
 ---
 # Set up a multi-app kiosk on Windows 10 devices
 **Applies to**
 - Windows 10 Pro, Enterprise, and Education
 > [!NOTE]
 > The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
@ -33,13 +33,13 @@ The following table lists changes to multi-app kiosk in recent updates.
 | - Configure [a single-app kiosk profile](#profile) in your XML file<br><br>- Assign [group accounts to a config profile](#config-for-group-accounts)<br><br>- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
 | - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)<br><br>- [Automatically launch an app](#allowedapps) when the user signs in<br><br>- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809<br><br>**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
->[!WARNING]
+> [!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
 You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
->[!TIP]
+> [!TIP]
->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
+> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 <span id="intune"/>
@ -62,7 +62,7 @@ Process:
 Watch how to use a provisioning package to configure a multi-app kiosk.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
 If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
@ -71,8 +71,8 @@ If you don't want to use a provisioning package, you can deploy the configuratio
 - Windows Configuration Designer (Windows 10, version 1709 or later)
 - The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
->[!NOTE]
+> [!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
+> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
 ### Create XML file
@ -198,7 +198,7 @@ Starting in Windows 10 version 1809, you can explicitly allow some known folders
 The following example shows how to allow user access to the Downloads folder in the common file dialog box.
->[!TIP]
+> [!TIP]
 > To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
 ```xml
@ -278,8 +278,8 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato
 </StartLayout>
 ```
->[!NOTE]
+> [!NOTE]
->If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
+> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
 ![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
@ -299,8 +299,8 @@ The following example hides the taskbar:
 <Taskbar ShowTaskbar="false"/>
 ```
->[!NOTE]
+> [!NOTE]
->This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
+> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
 ##### KioskModeApp
@ -310,8 +310,8 @@ The following example hides the taskbar:
 <KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
 ```
->[!IMPORTANT]
+> [!IMPORTANT]
->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
+> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.  
 #### Configs
@ -325,8 +325,8 @@ You can assign:
 - [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
 - [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
->[!NOTE]
+> [!NOTE]
->Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
+> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
 ##### Config for AutoLogon Account
@ -356,8 +356,8 @@ Starting with Windows 10 version 1809, you can configure the display name that w
 On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
->[!IMPORTANT]
+> [!IMPORTANT]
->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
+> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
 ##### Config for individual accounts
@ -367,13 +367,13 @@ Individual accounts are specified using `<Account>`.
 - Domain account should be entered as `domain\account`.
 - Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
->[!WARNING]
+> [!WARNING]
->Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
->[!NOTE]
+> [!NOTE]
->For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 ```xml
 <Configs>
@ -415,8 +415,8 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
  </Config>
  ```
-  >[!NOTE]
+  > [!NOTE]
-  >If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+  > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 <span id="add-xml" />
@ -488,8 +488,8 @@ Before you add the XML file to a provisioning package, you can [validate your co
 Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
->[!IMPORTANT]
+> [!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
@ -619,8 +619,8 @@ Remove Sign Out option in Security Options UI    |  Enabled
 Remove All Programs list from the Start Menu     |  Enabled - Remove and disable setting
 Prevent access to drives from My Computer    |  Enabled - Restrict all drivers
->[!NOTE]
+> [!NOTE]
->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
 ### MDM policy
@ -663,8 +663,8 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
 - Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file.
-  >[!IMPORTANT]
+  > [!IMPORTANT]
-  >Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
+  > Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
 - Under **CommandLine**, enter `cmd /c *FileName*.bat`.
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@ -1,16 +1,12 @@
 ---
 title: Set up a shared or guest Windows device
 description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.date: 11/06/2023
+ms.date: 11/08/2023
 ms.prod: windows-client
 ms.technology: itpro-configure
-ms.topic: reference
+ms.topic: how-to
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: 
 manager: aaroncz
 ms.collection: tier2
 appliesto: 
  - ✅ <b>Windows 10</b>
  - ✅ <b>Windows 11</b>
--- a/windows/configuration/shared-devices-concepts.md
+++ b/windows/configuration/shared-devices-concepts.md
@ -1,14 +1,10 @@
 ---
 title: Manage multi-user and guest Windows devices
 description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
-ms.date: 08/18/2023
+ms.date: 11/08/2023
 ms.prod: windows-client
 ms.technology: itpro-configure
 ms.topic: concept-article
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
 ms.collection: tier2
 appliesto: 
  - ✅ <b>Windows 10</b>
  - ✅ <b>Windows 11</b>
@ -61,12 +57,10 @@ Shared devices require special considerations regarding power settings. Shared P
 - To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md).
 - For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md).
- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
+- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-1].
- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4].
+- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-2].
-----------
+<!--links-->
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
+[WIN-1]: /windows/client-management/mdm/sharedpc-csp
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
+[WIN-2]: /windows/configuration/wcd/wcd-sharedpc
 [WIN-3]: /windows/client-management/mdm/sharedpc-csp
 [WIN-4]: /windows/configuration/wcd/wcd-sharedpc
--- a/windows/configuration/shared-pc-technical.md
+++ b/windows/configuration/shared-pc-technical.md
@ -1,16 +1,10 @@
 ---
 title: Shared PC technical reference
 description: List of policies and settings applied by the Shared PC options.
-ms.date: 11/06/2023
+ms.date: 11/08/2023
 ms.prod: windows-client
 ms.technology: itpro-configure
 ms.topic: reference
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: 
 manager: aaroncz
 ms.collection: tier2
 appliesto: 
  - ✅ <b>Windows 10</b>
  - ✅ <b>Windows 11</b>
--- a/windows/deployment/do/images/assigning-ip-2.png
+++ b/windows/deployment/do/images/assigning-ip-2.png
--- a/windows/deployment/do/images/external-switch-1.jpg
+++ b/windows/deployment/do/images/external-switch-1.jpg
--- a/windows/deployment/do/images/installation-complete-7.png
+++ b/windows/deployment/do/images/installation-complete-7.png
--- a/windows/deployment/do/images/installation-info-4.png
+++ b/windows/deployment/do/images/installation-info-4.png
--- a/windows/deployment/do/images/memory-storage-5.png
+++ b/windows/deployment/do/images/memory-storage-5.png
--- a/windows/deployment/do/images/portal-installation-instructions-6.png
+++ b/windows/deployment/do/images/portal-installation-instructions-6.png
--- a/windows/deployment/do/images/use-custom-dns-3.png
+++ b/windows/deployment/do/images/use-custom-dns-3.png
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@ -13,7 +13,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>	
-ms.date: 03/10/2023
+ms.date: 11/09/2023
 ---
 # Deploy your cache node
@ -29,7 +29,7 @@ To deploy MCC to your server:
 1. [Create an MCC Node](#create-an-mcc-node-in-azure)
 1. [Edit Cache Node Information](#edit-cache-node-information)
 1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
-1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
+1. [Verify MCC functionality](#verify-mcc-server-functionality)
 1. [Review common Issues](#common-issues) if needed.
 For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
@ -194,12 +194,15 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
    > </br>
    > </br> [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
-1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
+1. Choose whether you would like to create a new external virtual switch or select an existing external virtual switch.  
   If creating a new external virtual switch, name your switch and be sure to choose a Local Area Connection (USB adapters work as well however, we do not recommend using Wi-Fi). A computer restart will be required if you're creating a new switch.
    > [!NOTE]
    > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
-    If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
+    If you restarted your computer after creating a switch, start from step 2 above and skip to step 5.
    If you opt to use an existing external switch, select the switch from the presented options. Local Area Connection (or USB) is preferable to Wi-Fi. 
   :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
@ -207,34 +210,46 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
     :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
-1. Decide whether you would like to use dynamic or static address for the Eflow VM
+1. Decide whether you would like to use dynamic or static address for the Eflow VM. If you choose to use a static IP, do not use the IP address of the server. It is a VM, and it will have its own IP.
    :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
    > [!NOTE]
    > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
-1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts.
+   The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
   For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
   <!-- Insert Image 1 & 2. Remove ent-mcc-script-dynamic-address.png image (it is replaced by image 2) -->
    :::image type="content" source="./images/external-switch-1.jpg" alt-text="Screenshot of a sample output of ipconfig command showing example of subnet mask." lightbox="./images/external-switch-1.jpg":::
    :::image type="content" source="./images/assigning-ip-2.png" alt-text="Screenshot of multiple installer questions about ipv4 address for Eflow." lightbox="./images/assigning-ip-2.png":::
-1. Follow the Azure Device Login link and sign into the Azure portal.
+   If you would like to use your own DNS server instead of Google DNS 8.8.8.8, select **n** and set your own DNS server IP.
   :::image type="content" source="./images/use-custom-dns-3.png" alt-text="Screenshot of multiple installer questions about setting an alternate DNS server." lightbox="./images/use-custom-dns-3.png":::
   If you use a dynamic IP address, the DHCP server will automatically configure the IP address and DNS settings. 
-     :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png":::
+1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for download path, install path, and virtual hard disk path. 
-
+   <!-- Insert Image 4 -->
-1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
+   :::image type="content" source="./images/installation-info-4.png" alt-text="Screenshot of multiple installer questions about memory and storage for EFLOW." lightbox="./images/installation-info-4.png":::
   For more information, see [Sizing Recommendations](mcc-enterprise-prerequisites.md#sizing-recommendations) for memory, virtual storage, and CPU cores. For this example we chose the recommend values for a Branch Office/Small Enterprise deployment.
   <!-- Insert Image 5 -->
   :::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
   <!-- Remove: If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
    1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
       :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png":::
       -->
 1.  When the installation is complete, you should see the following output (the values below will be your own)
       :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
-
+       <!-- Insert Image 7 -->
    :::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
 1. Your MCC deployment is now complete.
   If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
   - After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
   - If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
-    1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
+## Verify MCC server functionality
    1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
    1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
 ## Verify proper functioning MCC server
 #### Verify client side
@ -251,14 +266,20 @@ Connect to the EFLOW VM and check if MCC is properly running:
   :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
+You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
 If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
 ```bash
 ping www.microsoft.com
 resolvectl query microsoft.com
 ```
 See the [common issues](#common-issues) section for more information.
 #### Verify server side
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
+To validate that MCC is properly functioning, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
 ```powershell
-wget [http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
+wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
 ```
 A successful test result will display a status code of 200 along with additional information.
@ -319,3 +340,69 @@ This command will provide the current status of the starting, stopping of a cont
 > [!NOTE]
 > You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
 >
 ### DNS needs to be configured
 Run the following IoT Edge install state check:
 ```bash
 sudo iotedge check --verbose
 ```
 If you see issues with ports 5671, 443, and 8883, your IoT Edge device needs to update the DNS for Docker.
 To configure the device to work with your DNS, use the following steps:
 1. Use `ifconfig` to find the appropriate NIC adapter name.
    ```bash
    ifconfig
    ```
 1. Run `nmcli device show <network adapter name>` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**:
    ```bash
    nmcli device show eno1 
    ```
    :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png":::
 1. Open or create the Docker configuration file used to configure the DNS server.
    ```bash
    sudo nano /etc/docker/daemon.json
    ```
 1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`.
    ```bash
    { "dns": ["x.x.x.x"]}
    ```
 1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command:
    ```bash
    sudo chmod 555 /etc/docker/daemon.json
    ```
 1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge.
    ```bash
    sudo systemctl restart docker
    sudo systemctl daemon-reload
    sudo restart IoTEdge
    ```
 ### Resolve DNS issues
 Follow these steps if you see a DNS error when trying to resolve hostnames during the provisioning or download of container:
 Run ``` Get-EflowVmEndpoint ``` to get interface name
 Once you get the name 
 ```bash
 Set-EflowVmDNSServers -vendpointName "interface name from above" -dnsServers @("DNS_IP_ADDRESS")
 Stop-EflowVm
 Start-EflowVm
 ```
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@ -1,6 +1,6 @@
 ---
-title: Update or uninstall MCC for Enterprise and Education
+title: Uninstall MCC for Enterprise and Education
-description: Details on how to update or uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
+description: Details on how to uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -18,6 +18,7 @@ appliesto:
 ms.date: 10/12/2022
 ---
 <!-- Customers will no longer update the private preview and instead install public preview
 # Update or uninstall Microsoft Connected Cache for Enterprise and Education
 Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
@ -35,8 +36,8 @@ For example:
 ```powershell
 # .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a"
 ```
-
+-->
-## Uninstall MCC
+# Uninstall MCC
 Please contact the MCC Team before uninstalling to let us know if you're facing issues.
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@ -91,9 +91,7 @@
        "operating-system-security/data-protection/**/*.md": "paolomatarazzo",
        "operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
        "operating-system-security/network-security/**/*.md": "paolomatarazzo",
-        "operating-system-security/network-security/**/*.yml": "paolomatarazzo",
+        "operating-system-security/network-security/**/*.yml": "paolomatarazzo"
        "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
        "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
      },
      "ms.author":{
        "application-security//**/*.md": "vinpa",
@ -111,9 +109,7 @@
        "operating-system-security/data-protection/**/*.md": "paoloma",
        "operating-system-security/data-protection/**/*.yml": "paoloma",
        "operating-system-security/network-security/**/*.md": "paoloma",
-        "operating-system-security/network-security/**/*.yml": "paoloma",
+        "operating-system-security/network-security/**/*.yml": "paoloma"
        "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
        "operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
      },
      "appliesto": {
        "application-security//**/*.md": [
@ -220,7 +216,7 @@
        "identity-protection/access-control/*.md": "sulahiri",
        "identity-protection/smart-cards/*.md": "ardenw",
        "identity-protection/virtual-smart-cards/*.md": "ardenw",
-        "operating-system-security/network-security/windows-firewall/*.md": "paoloma",
+        "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
        "operating-system-security/network-security/vpn/*.md": "pesmith",
        "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
        "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
--- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@ -134,4 +134,4 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
 - [Trusted Platform Module](trusted-platform-module-top-node.md)
 - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
+- [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)
--- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
+++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
@ -21,7 +21,7 @@ items:
            href: restrict-access-to-only-specified-users-or-devices.md
      - name: Implementation designs
        items: 
-          - name: Mapping goals to a design
+          - name: Map goals to a design
            href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
          - name: Basic firewall design
            href: basic-firewall-policy-design.md
@ -45,11 +45,11 @@ items:
                href: certificate-based-isolation-policy-design-example.md
      - name: Design planning
        items: 
-          - name: Planning your design
+          - name: Plan your design
            href: planning-your-windows-firewall-with-advanced-security-design.md
-          - name: Planning settings for a basic firewall policy
+          - name: Plan settings for a basic firewall policy
            href: planning-settings-for-a-basic-firewall-policy.md
-          - name: Planning domain isolation zones
+          - name: Plan domain isolation zones
            items: 
              - name: Domain isolation zones
                href: planning-domain-isolation-zones.md
@ -61,21 +61,21 @@ items:
                href: boundary-zone.md
              - name: Encryption zone
                href: encryption-zone.md
-          - name: Planning server isolation zones
+          - name: Plan server isolation zones
            href: planning-server-isolation-zones.md
-          - name: Planning certificate-based authentication
+          - name: Plan certificate-based authentication
            href: planning-certificate-based-authentication.md
            items: 
-              - name: Documenting the Zones
+              - name: Document the Zones
                href: documenting-the-zones.md
-              - name: Planning group policy deployment for your isolation zones
+              - name: Plan group policy deployment for your isolation zones
                href: planning-group-policy-deployment-for-your-isolation-zones.md
                items: 
-                  - name: Planning isolation groups for the zones
+                  - name: Plan isolation groups for the zones
                    href: planning-isolation-groups-for-the-zones.md
-                  - name: Planning network access groups
+                  - name: Plan network access groups
                    href: planning-network-access-groups.md
-                  - name: Planning the GPOs
+                  - name: Plan the GPOs
                    href: planning-the-gpos.md
                    items: 
                      - name: Firewall GPOs
@ -102,41 +102,41 @@ items:
                            href: gpo-domiso-encryption.md
                      - name: Server isolation GPOs
                        href: server-isolation-gpos.md
-                  - name: Planning GPO deployment
+                  - name: Plan GPO deployment
                    href: planning-gpo-deployment.md
-      - name: Planning to deploy
+      - name: Plan to deploy
        href: planning-to-deploy-windows-firewall-with-advanced-security.md
  - name: Deployment guide
    items: 
      - name: Deployment overview
        href: windows-firewall-with-advanced-security-deployment-guide.md
-      - name: Implementing your plan
+      - name: Implement your plan
        href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
      - name: Basic firewall deployment
        items: 
-          - name: "Checklist: Implementing a basic firewall policy design"
+          - name: "Checklist: Implement a basic firewall policy design"
            href: checklist-implementing-a-basic-firewall-policy-design.md
      - name: Domain isolation deployment
        items: 
-          - name: "Checklist: Implementing a Domain Isolation Policy Design"
+          - name: "Checklist: Implement a Domain Isolation Policy Design"
            href: checklist-implementing-a-domain-isolation-policy-design.md
      - name: Server isolation deployment
        items: 
-          - name: "Checklist: Implementing a Standalone Server Isolation Policy Design"
+          - name: "Checklist: Implement a Standalone Server Isolation Policy Design"
            href: checklist-implementing-a-standalone-server-isolation-policy-design.md
      - name: Certificate-based authentication
        items: 
-          - name: "Checklist: Implementing a Certificate-based Isolation Policy Design"
+          - name: "Checklist: Implement a Certificate-based Isolation Policy Design"
            href: checklist-implementing-a-certificate-based-isolation-policy-design.md
  - name: Best practices
    items: 
-      - name: Configuring the firewall
+      - name: Configure the firewall
        href: best-practices-configuring.md
-      - name: Securing IPsec
+      - name: Secure IPsec
        href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
      - name: PowerShell
        href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
-      - name: Isolating Microsoft Store Apps on Your Network
+      - name: Isolate Microsoft Store Apps on Your Network
        href: isolating-apps-on-your-network.md
  - name: How-to
    items: 
@ -154,6 +154,8 @@ items:
        href: configure-data-protection-quick-mode-settings.md
      - name: Configure Group Policy to autoenroll and deploy certificates
        href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
      - name: Configure Hyper-V firewall
        href: hyper-v-firewall.md
      - name: Configure key exchange (main mode) settings
        href: configure-key-exchange-main-mode-settings.md
      - name: Configure the rules to require encryption
@ -218,31 +220,31 @@ items:
        href: verify-that-network-traffic-is-authenticated.md
  - name: References
    items: 
-      - name: "Checklist: Creating Group Policy objects"
+      - name: "Checklist: Create Group Policy objects"
        href: checklist-creating-group-policy-objects.md
-      - name: "Checklist: Creating inbound firewall rules"
+      - name: "Checklist: Create inbound firewall rules"
        href: checklist-creating-inbound-firewall-rules.md
-      - name: "Checklist: Creating outbound firewall rules"
+      - name: "Checklist: Create outbound firewall rules"
        href: checklist-creating-outbound-firewall-rules.md
-      - name: "Checklist: Configuring basic firewall settings"
+      - name: "Checklist: Configure basic firewall settings"
        href: checklist-configuring-basic-firewall-settings.md
-      - name: "Checklist: Configuring rules for the isolated domain"
+      - name: "Checklist: Configure rules for the isolated domain"
        href: checklist-configuring-rules-for-the-isolated-domain.md
-      - name: "Checklist: Configuring rules for the boundary zone"
+      - name: "Checklist: Configure rules for the boundary zone"
        href: checklist-configuring-rules-for-the-boundary-zone.md
-      - name: "Checklist: Configuring rules for the encryption zone"
+      - name: "Checklist: Configure rules for the encryption zone"
        href: checklist-configuring-rules-for-the-encryption-zone.md
-      - name: "Checklist: Configuring rules for an isolated server zone"
+      - name: "Checklist: Configure rules for an isolated server zone"
        href: checklist-configuring-rules-for-an-isolated-server-zone.md
-      - name: "Checklist: Configuring rules for servers in a standalone isolated server zone"
+      - name: "Checklist: Configure rules for servers in a standalone isolated server zone"
        href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
-      - name: "Checklist: Creating rules for clients of a standalone isolated server zone"
+      - name: "Checklist: Create rules for clients of a standalone isolated server zone"
        href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
      - name: "Appendix A: Sample GPO template files for settings used in this guide"
        href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
  - name: Troubleshooting
    items: 
-      - name: Troubleshooting UWP app connectivity issues in Windows Firewall
+      - name: Troubleshoot UWP app connectivity issues in Windows Firewall
        href: troubleshooting-uwp-firewall.md
      - name: Filter origin audit log improvements
        href: filter-origin-documentation.md
--- a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@ -2,50 +2,37 @@
 title: Add Production Devices to the Membership Group for a Zone 
 description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
 ms.prod: windows-client
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
 # Add Production Devices to the Membership Group for a Zone
 After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
-**Caution**  
+> [!CAUTION]
-For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode.
+> For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode.
- 
+The method discussed in this guide uses the *Domain Computers* built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the *CG_DOMISO_NOIPSEC* example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
 The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
 Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
 In this topic:
 - [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
 - [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
 - [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
 ## To add domain devices to the GPO membership group
-1.  Open Active Directory Users and Computers.
+1. Open Active Directory Users and Computers
-
+1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group
-2.  In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
+1. In the details pane, double-click the GPO membership group to which you want to add computers
-
+1. Select the **Members** tab, and then click **Add**
-3.  In the details pane, double-click the GPO membership group to which you want to add computers.
+1. Type **Domain Computers** in the text box, and then click **OK**
-
+1. Click **OK** to close the group properties dialog box
 4.  Select the **Members** tab, and then click **Add**.
 5.  Type **Domain Computers** in the text box, and then click **OK**.
 6.  Click **OK** to close the group properties dialog box.
 After a computer is a member of the group, you can force a Group Policy refresh on the computer.
@ -53,8 +40,8 @@ After a computer is a member of the group, you can force a Group Policy refresh
 From an elevated command prompt, type the following command:
-``` syntax
+``` cmd
-gpupdate /target:computer /force
+gpupdate.exe /target:computer /force
 ```
 After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
@ -63,15 +50,6 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to
 From an elevated command prompt, type the following command:
-``` syntax
+``` cmd
-gpresult /r /scope:computer
+gpresult.exe /r /scope:computer
 ```
--- a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@ -2,44 +2,33 @@
 title: Add Test Devices to the Membership Group for a Zone 
 description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
 ms.prod: windows-client
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
 # Add Test Devices to the Membership Group for a Zone
 Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.
-Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it's supposed to receive.
+Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the `gpresult.exe` command to confirm that each device is receiving only the GPOs it's supposed to receive.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
 In this topic:
 - [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
 - [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
 - [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
 ## To add test devices to the GPO membership groups
-1.  Open Active Directory Users and Computers.
+1. Open Active Directory Users and Computers
-
+1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account
-2.  In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
+1. In the details pane, double-click the GPO membership group to which you want to add devices
-
+1. Select the **Members** tab, and then click **Add**
-3.  In the details pane, double-click the GPO membership group to which you want to add devices.
+1. Type the name of the device in the text box, and then click **OK**
-
+1. Repeat steps 5 and 6 for each extra device account or group that you want to add
-4.  Select the **Members** tab, and then click **Add**.
+1. Click **OK** to close the group properties dialog box
 5.  Type the name of the device in the text box, and then click **OK**.
 6.  Repeat steps 5 and 6 for each extra device account or group that you want to add.
 7.  Click **OK** to close the group properties dialog box.
 After a device is a member of the group, you can force a Group Policy refresh on the device.
@ -47,8 +36,8 @@ After a device is a member of the group, you can force a Group Policy refresh on
 From an elevated command prompt, run the following command:
-``` syntax
+``` cmd
-gpupdate /target:device /force
+gpupdate /target:device /force
 ```
 After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
@ -57,15 +46,6 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to
 From an elevated command prompt, run the following command:
-``` syntax
+``` cmd
 gpresult /r /scope:computer
 ```
--- a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@ -3,21 +3,21 @@ title: Appendix A Sample GPO Template Files for Settings Used in this Guide
 description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Appendix A: Sample GPO Template Files for Settings Used in this Guide
+# Appendix A: sample GPO template files for settings used in this guide
 You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
-To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there.
+To manually create the file, build the settings under **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**. After you create the settings, drag the container to the desktop. An .xml file is created there.
-To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
+To import an .xml file to GPMC, drag it and drop it on the **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry** node. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
 The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
->**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
+> [!NOTE]
 > The file shown here is for sample use only. It should be customized to meet the requirements of your organization's deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -31,11 +31,11 @@ The following sample file uses item-level targeting to ensure that the registry
         image="12"
         changed="2008-05-30 20:37:37"
         uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
-         desc="&lt;b&gt;Enable PMTU Discovery&lt;/b&gt;&lt;p&gt;
+         desc="<b>Enable PMTU Discovery</b><p>
            This setting configures whether computers can use PMTU
-            discovery on the network.&lt;p&gt;
+            discovery on the network.<p>
-            &lt;b&gt;1&lt;/b&gt; --  Enable&lt;br&gt;
+            <b>1</b> --  Enable<br>
-            &lt;b&gt;0&lt;/b&gt; --  Disable"
+            <b>0</b> --  Disable"
         bypassErrors="1">
   <Properties
         action="U"
@ -53,14 +53,14 @@ The following sample file uses item-level targeting to ensure that the registry
         image="12"
         changed="2008-05-30 20:33:32"
         uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
-         desc="&lt;b&gt;IPsec Default Exemptions for Windows Server 2008
+         desc="<b>IPsec Default Exemptions for Windows Server 2008
-            and later&lt;/b&gt;&lt;p&gt;
+            and later</b><p>
            This setting determines which network traffic type is exempt
-            from any IPsec authentication requirements.&lt;p&gt;
+            from any IPsec authentication requirements.<p>
-            &lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
+            <b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
-            &lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP&lt;br&gt;
+            <b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
-            &lt;b&gt;2&lt;/b&gt;: Exempts RSVP, Kerberos, ISAKMP&lt;br&gt;
+            <b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
-            &lt;b&gt;3&lt;/b&gt;: Exempts ISAKMP only"
+            <b>3</b>: Exempts ISAKMP only"
         bypassErrors="1">
   <Properties
         action="U"
--- a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
@ -2,69 +2,48 @@
 title: Assign Security Group Filters to the GPO 
 description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
 ms.prod: windows-client
-ms.collection: 
+ms.topic: how-to
-  - highpri
+ms.date: 11/10/2023
  - tier3
  - must-keep
 ms.topic: conceptual
 ms.date: 09/07/2021
 ---
 # Assign Security Group Filters to the GPO
 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
 >[!IMPORTANT]
 >This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
 In this topic:
 - [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
 - [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
 ## To allow members of a group to apply a GPO
 Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
-1.  Open the Group Policy Management console.
+1. Open the Group Policy Management console
-
+1. In the navigation pane, find and then select the GPO that you want to modify
-2.  In the navigation pane, find and then click the GPO that you want to modify.
+1. In the details pane, under **Security Filtering**, select **Authenticated Users**, and then select **Remove**
 3.  In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
    >[!NOTE]
-    >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the **Authenticated Users** group is removed, and new security filtering is added using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this [Microsoft blog](https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Who-broke-my-user-GPOs/ba-p/258781). 
+    >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
-4.  Click **Add**.
+1. Select **Add**
-
+1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain
 5.  In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
 ## To prevent members of a group from applying a GPO
 Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
-1.  Open the Group Policy Management console.
+1. Open the Group Policy Management console
-
+1. In the navigation pane, find and then select the GPO that you want to modify
-2.  In the navigation pane, find and then click the GPO that you want to modify.
+1. In the details pane, select the **Delegation** tab
-
+1. Select **Advanced**
-3.  In the details pane, click the **Delegation** tab.
+1. Under the **Group or user names** list, select **Add**
-
+1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain
-4.  Click **Advanced**.
+1. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**
-
+1. Select **OK**, and then in the **Windows Security** dialog box, select **Yes**
-5.  Under the **Group or user names** list, click **Add**.
+1. The group appears in the list with **Custom** permissions
 6.  In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
 7.  Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**.
 8.  Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
 9.  The group appears in the list with **Custom** permissions.
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
@ -1,132 +1,112 @@
 ---
-title: Best practices for configuring Windows Defender Firewall
+title: Best practices for configuring Windows Firewall
-description: Learn about best practices for configuring Windows Defender Firewall
+description: Learn about best practices for configuring Windows Firewall
 ms.prod: windows-client
-ms.date: 11/09/2022
+ms.date: 11/10/2023
 ms.collection: 
  - highpri
  - tier3
  - must-keep
 ms.topic: best-practice
 ---
-# Best practices for configuring Windows Defender Firewall
+# Best practices for configuring Windows Firewall
-Windows Defender Firewall with Advanced Security provides host-based, two-way
+Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems.
 network traffic filtering and blocks unauthorized network traffic flowing into
 or out of the local device. Configuring your Windows Firewall based on the
 following best practices can help you optimize protection for devices in your
 network. These recommendations cover a wide range of deployments including home
 networks and enterprise desktop/server systems.
-To open Windows Firewall, go to the **Start** menu, select **Run**,
+To open Windows Firewall, select **Start** > **Run**, type **wf.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md).
 type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md).
 ## Keep default settings
-When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
+When you open the Windows Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
-![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png)
+![Windows Firewall with Advanced Security first time opening.](images/fw01-profiles.png)
 *Figure 1: Windows Defender Firewall*
 1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller
 1. **Private profile**: Designed for and best used in private networks such as a home network
 1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
-View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**.
+To view detailed settings for each profile, right-click the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then select **Properties**.
-Maintain the default settings in Windows Defender
+Maintain the default settings in Windows Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
 Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
-![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png)
+:::image type="content" source="images/fw03-defaults.png" alt-text="Screenshot of the default inbound/outbound Firewall settings.":::
 *Figure 2: Default inbound/outbound settings*
 > [!IMPORTANT]
 > To maintain maximum security, do not change the default Block setting for inbound connections.
 For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md).
-## Understand rule precedence for inbound rules
+## Rule precedence for inbound rules
-In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
+In many cases, a next step for administrators is to customize the firewall profiles using *rules* (sometimes called *filters*), so that they can work with applications or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
-This rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
+The rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
 ![Rule creation wizard.](images/fw02-createrule.png)
-*Figure 3: Rule Creation Wizard*
+> [!NOTE]
 >This article doesn't cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
 In many cases, allowing specific types of inbound traffic is required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions:
 1. Explicitly defined allow rules take precedence over the default block setting
 1. Explicit block rules take precedence over any conflicting allow rules
 1. More specific rules take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence.
 > [!TIP]
 > Because of 1 and 2, when designing a set of policies you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
 A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
 > [!NOTE]
->This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
+> Windows Firewall doesn't support weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors as described.
 In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.
 1. Explicitly defined allow rules will take precedence over the default block setting.
 1. Explicit block rules will take precedence over any conflicting allow rules.
 1. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
 Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
 A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
 > [!NOTE]
 > Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
 ## Create rules for new applications before first launch
 ### Inbound allow rules
-When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Defender Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
+When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
-If there's no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
+If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
- If the user has admin permissions, they'll be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic.
+- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic.
 - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created.
- If the user isn't a local admin, they won't be prompted. In most cases, block rules will be created.
+In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
 In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked.
 > [!NOTE]
 > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
 ### Known issues with automatic rule creation
-When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
+When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience.
 The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
 To determine why some applications are blocked from communicating in the network, check for the following instances:
-1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
+1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt
-1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
+1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes
-1. Local Policy Merge is disabled, preventing the application or network service from creating local rules.
+1. Local Policy Merge is disabled, preventing the application or network service from creating local rules
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 :::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png":::
 *Figure 4: Dialog box to allow access*
 See also [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md).
 ## Establish local policy merge and application rules
 Firewall rules can be deployed:
-1. Locally using the Firewall snap-in (**WF.msc**)
+1. Locally using the Firewall snap-in (**wf.msc**)
 1. Locally using PowerShell
-1. Remotely using Group Policy if the device is a member of an Active Directory Name, System  Center Configuration Manager, or Intune (using workplace join)
+1. Remotely using Group Policy if the device is a member of an Active Directory Name or managed by Configuration Manager
 1. Remotely, using a mobile device management (MDM) solution like Microsoft Intune
-Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
+Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for *Domain*, *Private*, and *Public profiles*.
 The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy.
 ![Customize settings.](images/fw05-rulemerge.png)
 *Figure 5: Rule merging setting*
 > [!TIP]
 > In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
@ -139,14 +119,14 @@ Management (MDM), or both (for hybrid or co-management environments).
 As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
-In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.
+In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
 > [!NOTE]
-> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s).
+> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. You can only create rules using the full path to the application(s).
-## Understand Group Policy Processing  
+## Understand group policy processing  
-The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
+The Windows Firewall settings configured via group policy or CSP are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
 Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions:
@ -157,13 +137,13 @@ Windows Firewall monitors the registry for changes, and if something is written
 > [!NOTE]
 > The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected.
-Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default.
+Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects haven't changed* option updates and reapplies the policies even if the policies haven't changed. This option is disabled by default.
-If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during **every** background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like:
+If you enable the option *Process even if the Group Policy objects haven't changed*, the WFP filters get reapplied during **every** background refresh. In case you have 10 group policies, the WFP filters get reapplied 10 times during the refresh interval. If an error happens during policy processing, the applied settings might be incomplete, resulting in issues like:
- Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies
+- Windows Firewall blocks inbound or outbound traffic allowed by group policies
 - Local Firewall settings are applied instead of group policy settings
- IPsec connections cannot establish
+- IPsec connections can't establish
 The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
@ -174,7 +154,7 @@ To avoid the issue, leave the policy `Computer Configuration > Administrative Te
 >
 > If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
-## Know how to use "shields up" mode for active attacks
+## Know how to use *shields up* mode for active attacks
 An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
@ -189,7 +169,7 @@ incoming connections, including those in the list of allowed apps** setting foun
 *Figure 7: Legacy firewall.cpl*
-By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions. 
+By default, the Windows Firewall blocks everything unless there's an exception rule created. This setting overrides the exceptions.
 For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
@ -201,7 +181,7 @@ What follows are a few general guidelines for configuring outbound rules.
 - The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default
 - It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
+- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
 For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md).
@ -215,17 +195,15 @@ Windows Firewall now supports the use of Windows Defender Application Control (W
 ### Step 1: Deploy WDAC AppId Tagging Policies
-A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.  
+A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching PolicyAppId.
-Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications. 
+Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications.
 ### Step 2: Configure Firewall Rules using PolicyAppId Tags
- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
+- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
 You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules.
 OR
- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `–PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported. 
+- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `-PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.
--- a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md
@ -3,12 +3,11 @@ title: Certificate-based Isolation Policy Design Example
 description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
 # Certificate-based Isolation Policy Design Example
 This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
 One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it's considered unsolicited inbound traffic to the devices that receive this information.
@ -27,7 +26,7 @@ The creation of the IPsec connection security rules for a non-Windows device is
 The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates.
-**Other traffic notes:**
+### Other traffic notes
 - None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device.
@ -35,12 +34,14 @@ The non-Windows device can be effectively made a member of the boundary zone or
 Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
-The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules.
+The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory-supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules.
-When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
+When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
-With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
+With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG_COMPUTER_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
-Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
+Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG_COMPUTER_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
-**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+> [!div class="nextstepaction"]
 >
 > [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
--- a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md
@ -3,12 +3,11 @@ title: Certificate-based Isolation Policy Design
 description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
 # Certificate-based isolation policy design
 In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
 Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices can't join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows can't join a domain for various reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
@ -22,13 +21,7 @@ For Windows devices that are part of an Active Directory domain, you can use Gro
 For more info about this design:
 - This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
 - To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
 - Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 - To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
 - For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
--- a/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md
@ -2,49 +2,41 @@
 title: Change Rules from Request to Require Mode 
 description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
 ms.prod: windows-client
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
 # Change Rules from Request to Require Mode
 After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 In this topic:
 - [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
 - [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
 ## To convert a rule from request to require mode
-1.  Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-
+1. In the right navigation pane, click **Connection Security Rules**
-2.  In the right navigation pane, click **Connection Security Rules**.
+1. In the details pane, double-click the connection security rule that you want to modify
-
+1. Click the **Authentication** tab
-3.  In the details pane, double-click the connection security rule that you want to modify.
+1. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**
 4.  Click the **Authentication** tab.
 5.  In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**.
 ## To apply the modified GPOs to the client devices
 1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
-    ``` syntax
+    ``` cmd
-    gpupdate /force
+    gpupdate.exe /force
    ```
-2.  To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
+1. To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
-    ``` syntax
+    ``` cmd
-    gpresult /r /scope computer
+    gpresult.exe /r /scope computer
    ```
-3.  Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.
+1. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md
@ -3,15 +3,12 @@ title: Checklist Configuring Basic Firewall Settings
 description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Configuring Basic Firewall Settings
+# Checklist: configure basic firewall settings
-
+This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules:
 This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
 **Checklist: Configuring firewall defaults and settings**
 | Task | Reference |
 | - | - |
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@ -3,26 +3,21 @@ title: Checklist Configuring Rules for an Isolated Server Zone
 description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Configuring Rules for an Isolated Server Zone
+# Checklist: configure rules for an isolated server zone
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
 In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they're enforced at the application layer, rather than the IP layer.
 Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication.
 The GPOs for an isolated server or group of servers are similar to those GPOs for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules and restrictions that allow only members of the NAG to connect to the server.
 **Checklist: Configuring rules for isolated servers**
 | Task | Reference |
 | - | - |
-| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.<br/>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.<br/>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO's element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
-| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone's membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)|
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
 | Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@ -3,18 +3,15 @@ title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Z
 description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
+# Checklist: configure rules for servers in a standalone isolated server zone
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
 The GPOs for isolated servers are similar to those GPOs for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
 **Checklist: Configuring rules for isolated servers**
 | Task | Reference |
 | - | - |
 | Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
@ -27,7 +24,7 @@ The GPOs for isolated servers are similar to those GPOs for an isolated domain.
 | Create a rule that requests authentication for all inbound network traffic. <br/><br/>**Important:**  As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
 | If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)|
 | Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) |
-| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| 
+| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone's NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)|
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
 | Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@ -3,18 +3,15 @@ title: Checklist Configuring Rules for the Boundary Zone
 description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Configuring Rules for the Boundary Zone
+# Checklist: configure rules for the boundary zone
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
 Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
 **Checklist: Configuring boundary zone rules**
 This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs.
 | Task | Reference |
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@ -3,18 +3,15 @@ title: Checklist Configuring Rules for the Encryption Zone
 description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Configuring Rules for the Encryption Zone
+# Checklist: configure rules for the encryption zone
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
 Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
 **Checklist: Configuring encryption zone rules**
 This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
 | Task | Reference |
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@ -3,16 +3,13 @@ title: Checklist Configuring Rules for the Isolated Domain
 description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Configuring Rules for the Isolated Domain
+# Checklist: configure rules for the isolated domain
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
 **Checklist: Configuring isolated domain rules**
 | Task | Reference |
 | - | - |
 | Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
@ -23,9 +20,8 @@ The following checklists include tasks for configuring connection security rules
 | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
 | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
 | Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
-| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
 | Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
 | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
 Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md
@ -3,19 +3,18 @@ title: Checklist Creating Group Policy Objects
 description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Creating Group Policy Objects
+# Checklist: Create group policy objects (GPOs)
-
+To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.
 To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.
 The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
 ## About membership groups
-For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
+For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
 ## About exclusion groups
@ -23,12 +22,10 @@ A Windows Defender Firewall with Advanced Security design must often take into a
 You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
 **Checklist: Creating Group Policy objects**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
-| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that doesn't support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that can't be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
+| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
 | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
 | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
 | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md
@ -3,16 +3,13 @@ title: Checklist Creating Inbound Firewall Rules
 description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Creating Inbound Firewall Rules
+# Checklist: create inbound firewall rules
 This checklist includes tasks for creating firewall rules in your GPOs.
 **Checklist: Creating inbound firewall rules**
 | Task | Reference |
 | - | - |
 | Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)|
@ -20,14 +17,3 @@ This checklist includes tasks for creating firewall rules in your GPOs.
 | Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)|
 | Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)|
 | Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md
@ -3,31 +3,18 @@ title: Checklist Creating Outbound Firewall Rules
 description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Creating Outbound Firewall Rules
+# Checklist: create outbound firewall rules
 This checklist includes tasks for creating outbound firewall rules in your GPOs.
->**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
+> [!IMPORTANT]
-
+> By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization's network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
 **Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
 | Task | Reference |
 | - | - |
 | Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)|
 | Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)|
 | Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@ -3,16 +3,13 @@ title: Create Rules for Standalone Isolated Server Zone Clients
 description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
+# Checklist: Create rules for clients of a standalone isolated server zone
 This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
 **Checklist: Configuring isolated server zone client rules**
 | Task | Reference |
 | - | - |
 | Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
@ -22,6 +19,6 @@ This checklist includes tasks for configuring connection security rules and IPse
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)|
 | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)|
 | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)|
-| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
+| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)|
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)|
 | Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@ -3,20 +3,18 @@ title: Checklist Implementing a Basic Firewall Policy Design
 description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Implementing a Basic Firewall Policy Design
+# Checklist: implement a basic firewall policy design
 This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
 > Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
  **Checklist: Implementing a basic firewall policy design**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@ -3,23 +3,20 @@ title: Checklist Implementing a Certificate-based Isolation Policy Design
 description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Implementing a Certificate-based Isolation Policy Design
+# Checklist: implement a certificate-based isolation policy design
 This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
 > [!NOTE]
 > Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
 **Checklist: Implementing certificate-based authentication**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
-| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| |
+| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| |
 | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
 | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
 | On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@ -3,11 +3,10 @@ title: Checklist Implementing a Domain Isolation Policy Design
 description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Implementing a Domain Isolation Policy Design
+# Checklist: implementing a domain isolation policy design
 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
@ -16,11 +15,9 @@ This parent checklist includes cross-reference links to important concepts about
 The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
 **Checklist: Implementing a domain isolation policy design**
 | Task | Reference |
 | - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
 | Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
 | Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
 | Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
--- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@ -3,11 +3,10 @@ title: Checklist Implementing a Standalone Server Isolation Policy Design
 description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/07/2021
+ms.date: 11/10/2023
 ---
-# Checklist: Implementing a Standalone Server Isolation Policy Design
+# Checklist: implementing a standalone server isolation policy design
 This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
@ -16,8 +15,6 @@ This parent checklist includes cross-reference links to important concepts about
 > [!NOTE]
 > Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 **Checklist: Implementing a standalone server isolation policy design**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@ -0,0 +1,145 @@
 ---
 title: Hyper-V firewall 
 description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP).
 ms.topic: how-to
 ms.date: 11/08/2023
 author: paolomatarazzo
 ms.author: paoloma
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
 # Configure Hyper-V firewall
 Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).\
 This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP).
 > [!IMPORTANT]
 > The configuration of Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration.
 ## Configure Hyper-V firewall with PowerShell
 This section describes the steps to manage Hyper-V firewall using PowerShell.
 ### Obtain the WSL GUID
 Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet:  
 ```powershell
 Get-NetFirewallHyperVVMCreator 
 ```
 The output contains a VmCreator object type, which has unique identifier `VMCreatorId` and `friendly name` properties. For example, the following output shows the properties of WSL:
 ```powershell
 PS C:\> Get-NetFirewallHyperVVMCreator
 VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} 
 FriendlyName : WSL 
 ```
 > [!NOTE]
 > The WSL VMCreatorId is `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}`.
 ### Verify Hyper-V firewall settings
 Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the [Get-NetFirewallHyperVVMSetting][PS-1] cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command:
 ```powershell
 Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
 ```
 > [!NOTE]
 > `-PolicyStore ActiveStore` returns the *applied* settings.
 The output contains the following values:
 | Value | Description |
 |--|--|
 | `Enabled` (True/False) | True if Hyper-V Firewall is enabled for WSL VMs. |
 | `DefaultInboundAction`, `DefaultOutboundAction` | These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article.  |
 | `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host. |
 | `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.<br>This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. |
 ### Configure Hyper-V firewall settings
 To configure Hyper-V firewall, use the [Set-NetFirewallHyperVVMSetting][PS-2] command. For example, the following command sets the default inbound connection to *Allow*:
 ```powershell
 Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow 
 ```
 ### Firewall Rules
 Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules, use the [Get-NetFirewallHyperVRule][PS-3] cmdlet. For example, to view firewall rules that only pertain to WSL, use the following command:
 ```powershell
 Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
 ```
 To configure specific rules, use the [Set-NetFirewallHyperVRule][PS-4] cmdlet.
 For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:  
 ```powershell
 New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80 
 ```
 ### Target Hyper-V firewall rules and settings to specific profiles
 Hyper-V firewall rules and settings can be targeted to the *Firewall profiles*, which are based on the type of network the device is connected to:
 - Public profile
 - Private profile
 - Domain profile
 The policy options are similar to the ones already described, but are applied to specific profiles for the connected Windows Host network adapter.
 To view the settings per profile, use the following command:
 ```powershell
 Get-NetFirewallHyperVProfile -PolicyStore ActiveStore 
 ```
 > [!NOTE]
 > `-PolicyStore ActiveStore` returns the *applied* settings.
 The output contains an extra value compared to the ones described in the previous section:
 | Value | Description |
 |--|--|
 | `AllowLocalFirewallRules` (True/False)| This setting determines how enterprise Hyper-V firewall rules (CSP or GPO) interact with the locally defined Hyper-V firewall rules:<br>- if the value is *True*, both the enterprise Hyper-V firewall rules and the locally defined rules are applied<br>- if the value is *False*, the locally defined Hyper-V firewall rules aren't applied, and only enterprise rules are applied. |
 > [!NOTE]
 > To configure these **settings** per profile, use the [Set-NetFirewallHyperVProfile][PS-5] cmdlet.
 >
 > To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option.
 ## Configure Hyper-V firewall with CSP
 You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune.
 To learn more about the CSP options, follow these links:
 - [Configure Hyper-V firewall settings][SETTINGS]: to configure the Hyper-V firewall settings
 - [Configure Hyper-V firewall rules][RULE]: to configure list of rules controlling traffic through the Hyper-V firewall
 To learn how to configure the firewall with Microsoft Intune, see [Firewall policy for endpoint security][INT-1].
 ### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback
 To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Microsoft Defender Firewall and network protection**.
 <!--links used in this document-->
 [CSP-1]: /windows/client-management/mdm/firewall-csp
 [FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
 [INT-1]: /mem/intune/protect/endpoint-security-firewall-policy
 [PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
 [PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
 [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
 [PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule
 [PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile
 [RULE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervfirewallrules
 [SETTINGS]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettings
--- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md
@ -3,23 +3,25 @@ title: Server Isolation GPOs
 description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 11/10/2023
 ---
 # Server Isolation GPOs
 Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The *Woodgrove Bank* example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. *Woodgrove Bank* copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
-Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose.
+All of the device accounts for devices in the SQL Server server isolation zone are added to the group *CG_SRVISO_WGBANK_SQL*. This group is granted **Read** and **Apply Group Policy** permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices aren't expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone.
-All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices aren't expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone.
+## GPO_SRVISO
-## GPO\_SRVISO
+This GPO is identical to the *GPO_DOMISO_Encryption* GPO with the following changes:
 - The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs-granted permissions include *CG_NAG_SQL_Users* and *CG_NAG_SQL_Computers*.
-This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following changes:
+## Next steps
-   The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs-granted permissions include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers.
+> [!div class="nextstepaction"]
-
+> Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
-    >**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
+>
-
+>
-**Next:** [Planning GPO Deployment](planning-gpo-deployment.md)
+> [Plan GPO Deployment >](planning-gpo-deployment.md)
--- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md
@ -3,15 +3,14 @@ title: Server Isolation Policy Design Example
 description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 11/10/2023
 ---
 # Server Isolation Policy Design Example
 This design example continues to use the fictitious company *Woodgrove Bank*, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
-This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section.
+In addition to the protections provided by the firewall and domain isolation, *Woodgrove Bank* wants to provide extra protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. These rules and regulations include a requirement to prevent interception of and access to the information when it is in transit over the network.
 In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide extra protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. These rules and regulations include a requirement to prevent interception of and access to the information when it is in transit over the network.
 The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, aren't considered sensitive for the purposes of the government regulations, because they're processed to remove sensitive elements before transmitting the data to the client devices.
@ -23,7 +22,7 @@ Server isolation can also be deployed by itself, to only the devices that must p
 In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG.
-If you don't have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you don't have an Active Directory domain, you can't use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules.
+If you don't have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you don't have an Active Directory domain, you can't use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules.
 ## Design requirements
@ -33,39 +32,38 @@ The following illustration shows the traffic protection needs for this design ex
 ![isolated server example.](images/wfas-design3example1.gif)
-1.  Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. These accounts include the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it's sent from an authorized computer. Authorization is determined by membership in a network access group (NAG).
+1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. These accounts include the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it's sent from an authorized computer. Authorization is determined by membership in a network access group (NAG)
 1. All network traffic to and from the SQL Server devices must be encrypted
 1. Client devices or users whose accounts aren't members of the NAG can't access the isolated servers
-2.  All network traffic to and from the SQL Server devices must be encrypted.
+### Other traffic notes
-3.  Client devices or users whose accounts aren't members of the NAG can't access the isolated servers.
+- All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced
-
+- All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced
 **Other traffic notes:**
 -   All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced.
 -   All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced.
 ## Design details
-Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network.
+*Woodgrove Bank* uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network.
 As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all devices that run Windows were added to the correct groups.
-   **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they're using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS.
+- **CG_SRVISO_WGBANK_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG_NAG_SQL_USERS can access the server, and only when they're using a computer that is a member of the group CG_NAG_SQL_COMPUTERS.
->**Note:**  You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
+    > [!NOTE]
    > You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
- 
+    Network access groups (NAGs) aren't used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server.
 Network access groups (NAGs) aren't used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server.
-   **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers.
+- **CG_NAG_SQL_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers.
 - **CG_NAG_SQL_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members.
-   **CG\_NAG\_SQL\_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members.
+> [!NOTE]
 > You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity.
->**Note:**  You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity.
+If Woodgrove Bank wants to implement server isolation without domain isolation, the *CG_NAG_SQL_COMPUTERS* group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this task, all the devices that are authorized to access the isolated server also have the required connection security rules.
 If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this task, all the devices that are authorized to access the isolated server also have the required connection security rules.
 You don't have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contains connection security rules to support encryption.
-**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+> [!div class="nextstepaction"]
 >
 > [Certificate-based Isolation Policy Design Example >](certificate-based-isolation-policy-design-example.md)
--- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md
@ -3,12 +3,11 @@ title: Server Isolation Policy Design
 description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
 ms.prod: windows-client
 ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 11/10/2023
 ---
 # Server Isolation Policy Design
 In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG).
 This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have more security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. These restrictions and requirements can be done on a per-server basis, or for a group of servers that share common security requirements.
@ -22,9 +21,7 @@ The design is shown in the following illustration, with arrows that show the per
 Characteristics of this design include:
 - Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones.
 - Isolated servers (area B) - Devices in the server isolation zones restrict access to devices, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access.
 - Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only.
 To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules.
@ -37,13 +34,11 @@ This design can be applied to devices that are part of an Active Directory fores
 For more info about this design:
 - This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
 - To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
 - Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 - To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).
 - For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
-**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+> [!div class="nextstepaction"]
 >
 > [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)